Re: [dnsext] draft-mohan-dns-query-xml-00.txt
Ted Hardie <ted.ietf@gmail.com> Mon, 03 October 2011 20:22 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id 5883421F8DB5; Mon, 3 Oct 2011 13:22:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1317673349; bh=nElUxfstoGHwekCRBJW2fjXQR1AE3tRU/9DvfsvjPYc=;
h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:
List-Subscribe:Content-Type:Sender;
b=P3yLFqEA9mCHqqnsMrLlieu4Rp/fcHOD4lDLvbPYx1oxIk23dB0qJr53+BAqXDvk1
YCxWotGftAKq75h2dsFMYEGCgYFDd7gFvVZ6cZC6CjotEqMwBcmiTUyW+l7TIS6T8U
b6e5x5GcJJeqdDx8NDnvvYmSQPkS9YyTg4zt5Vzw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 0FB0521F8DB5 for <dnsext@ietfa.amsl.com>;
Mon, 3 Oct 2011 13:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.505
X-Spam-Level:
X-Spam-Status: No, score=-3.505 tagged_above=-999 required=5 tests=[AWL=0.093,
BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1i13q+mbHxi for
<dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 13:22:25 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com
[209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id A9B1921F8D4F for
<dnsext@ietf.org>; Mon, 3 Oct 2011 13:22:25 -0700 (PDT)
Received: by yxt33 with SMTP id 33so4855318yxt.31 for <dnsext@ietf.org>;
Mon, 03 Oct 2011 13:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type; bh=vzeH9dDVX3ZTnvXnJ8gUySuLzefQyCZqQaCesv1svxI=;
b=uckVYBcjFWwxa04LzQBkscLk4WD5yNoARfg0hBb9iW8rkJmUTZCVfKcZ0Hlg4qLXo9
DagLJYC3CaZTeZlrIG7Fwy5kpemsSEr3ZUiUg8XilMrrBmBO86DyTPs1YQtgI8yhFYi0
G5dCVNGwqzjNUiUu12I2J6e7F5L7ajHQOCdFM=
MIME-Version: 1.0
Received: by 10.236.127.144 with SMTP id d16mr2342327yhi.40.1317673528477;
Mon, 03 Oct 2011 13:25:28 -0700 (PDT)
Received: by 10.236.105.169 with HTTP; Mon, 3 Oct 2011 13:25:27 -0700 (PDT)
In-Reply-To: <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com>
<201110010458.26859.vixie@isc.org>
<8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com>
<201110031713.20103.vixie@isc.org>
<54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org>
<CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com>
<CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
Date: Mon, 3 Oct 2011 13:25:27 -0700
Message-ID: <CA+9kkMDG3vpETecTHMCLdOf8SDpzum=vMC=mGBsSw5JaORMYig@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>,
DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6681150518627548168=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Mon, Oct 3, 2011 at 12:22 PM, Mohan Parthasarathy <suruti94@gmail.com>wrote;wrote: > On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote: > > On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> > wrote: > > > > I'm also increasingly of the opinion that this should have the validation > > bits sets by default. Allowing a web site to update the local DNS cache > for > > a client system by including a reference and a DNS result for the > reference > > causes my paranoia to ratchet up a few notches. The only other defense > > against it I see is using Web results only in same-origin web contexts, > and > > that's going to be very hard to make work. > > > > I am not sure I understand this concern fully. I guess you mean that > you want to use this only with CD =1 which also implies that you want > to use only with DNSSEC . Though this is the primary use case that > this draft is trying to address, should we restrict it ? Previously, > your concern was cache poisoning of the HTTP proxies having an impact > on DNS. If we require HTTPS and POST, is this still a concern ? > > Well, I don't think you can functionally say that it can only be used with DNSSEC at the protocol level; there's always the risk that you want to use it for some zone that hasn't been signed. But I think we're going to have to strongly suggest that it should be used when DNSSEC validation can be done and, if it has not been, how to handle the results with respect to the local cache. If I am a helpful web site with the ability to do this DNS return, I could theoretically get slightly higher speed for web page loads by providing the DNS data for the component loads along with the initial return. If those can be trusted because of DNSSEC validation, using the data and storing it in the local cache for use by other applications (subject to TTL expiry etc.) should be fine. But if I cannot validate it, then I have to have some other trust model for the data. One potential model is to use (but likely not store) data with the same origin as the web server from which I got it. So if I land at financial.example.com, I use the data it gives me for nasdaq.financial.example.com and sp500.financial.example.com, but not for ftse.example.co.uk or, even worse, for social.network.com of deposit.bank.com. It's still a cache poisoning problem, but it is the local cache that might be poisoned in this worry. In the case where you are getting this from a 3rd party DNS provider which supports HTTPS transport, the trust is presumably between you and that provider. That may be the initial use case. But I'm guessing that once this is available, other uses, included blended content/DNS returns will occur. regards, Ted -mohan > > > Ted > > > > _______________________________________________ > > dnsext mailing list > > dnsext@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsext > > > > >
_______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Aki Tuomi
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Olaf Kolkman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Robert Edmonds
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Jakob Schlyter
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Patrik Fältström
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Måns Nilsson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ray Bellis
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt bmanning
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- [dnsext] Related to section 5.1 of dnssec-bis-upd… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Olafur Gudmundsson
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mohan Parthasarathy
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews