Re: [dnsext] draft-mohan-dns-query-xml-00.txt
Mark Andrews <marka@isc.org> Tue, 04 October 2011 05:21 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2419621F8F38; Mon, 3 Oct 2011 22:21:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317705703; bh=Kl0K8cHvj/hQSXQgIG96+AKmwT2w2XPKYqaqCU2aSGw=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=JjqIh3kaKMOEZRvhDB9KtrkWTD4zjepNB0RnLwPNFtNHiNSfpZmZdAjD3Xdh9yGjB FsEx5pZ0FnuHlsxFsMQ/DThKT/1gQP5+P0PeKBCYirmJJ+a6Jh2uK65Qr+YN8cFSmi Z7y0aK8gaSkbYicSmgbiAJ6lpHY8DZ3TQrhYwc+8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18DA521F8F37 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 22:21:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X62HsuyKB3Xi for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 22:21:41 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id CDDC821F8F5C for <dnsext@ietf.org>; Mon, 3 Oct 2011 22:21:40 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id CA286C9422; Tue, 4 Oct 2011 05:24:14 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 20416216C33; Tue, 4 Oct 2011 05:24:14 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id D92451492DC2; Tue, 4 Oct 2011 16:24:09 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com> <20111004001547.7ED7C149063F@drugs.dv.isc.org> <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com> <20111004025502.504DD14924EC@drugs.dv.isc.org> <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com> <20111004040259.324041492901@drugs.dv.isc.org> <CACU5sDnCB62cbBYW_E26fcmGuKU0+V_-BSeF=pjyvB2dyGw_Qw@mail.gmail.com>
In-reply-to: Your message of "Mon, 03 Oct 2011 21:43:53 PDT." <CACU5sDnCB62cbBYW_E26fcmGuKU0+V_-BSeF=pjyvB2dyGw_Qw@mail.gmail.com>
Date: Tue, 04 Oct 2011 16:24:09 +1100
Message-Id: <20111004052409.D92451492DC2@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <CACU5sDnCB62cbBYW_E26fcmGuKU0+V_-BSeF=pjyvB2dyGw_Qw@mail.gmail.com>, Mohan Parthasarathy writes: > On Mon, Oct 3, 2011 at 9:02 PM, Mark Andrews <marka@isc.org> wrote: > > > > In message <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>, Mohan writes= > : > >> > >> > >> On Oct 3, 2011, at 7:55 PM, Mark Andrews <marka@isc.org> wrote: > >> > >> > > >> > In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail= > .gma= > >> il.com> > >> > , Mohan Parthasarathy writes: > >> >> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote: > >> >>> > >> >>> In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail= > .gma= > >> i= > >> >> l.com>, Mohan Parthasarathy writes: > >> >>>> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wr= > ote:= > >> > >> >>>>> On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.o= > rg> = > >> 3D= > >> > >> >> wro= > >> >>>> te: > >> >>>>>> > >> >>>>>> +1. The slight increase in programming difficulty of using POST v= > s. G= > >> = > >> >> ET > >> >>>>>> buys you a huge amount of flexibility in queries. It's not just a= > bout= > >> > >> >>>>>> cache-prevention. > >> >>>>>> > >> >>>>> > >> >>>>> All silver linings have their clouds... The only unfortunate th= > = > >> in= > >> >> g abo= > >> >>>> ut > >> >>>>> POST, in my view, is that the flexibility can trend you away from > >> >>>>> interoperability as people add and change things at different= > = > >> = > >> 3DA= > >> >> 0 speed= > >> >>>> s at > >> >>>>> different hosts. If you want standard behavior the descending l= > = > >> is= > >> >> t goe= > >> >>>> s: > >> >>>>> New Method, GET, POST, at least in my view. > >> >>>>> > >> >>>>> Since new methods are notoriously hard to get deployed, POST seems= > lik= > >> = > >> >> e t= > >> >>>> he > >> >>>>> best choice if you want something that can handle any DNS operatio= > n.= > >> = > >> > >> >> I= > >> >>>> f it > >> >>>>> is meant to be only retrieval, then I would personally say that ke= > epin= > >> = > >> >> g it > >> >>>>> within GET is the best choice. > >> >>>>> > >> >>>>> I'm also increasingly of the opinion that this should have the val= > idat= > >> = > >> >> ion > >> >>>>> bits sets by default. Allowing a web site to update the local D= > = > >> NS= > >> >> cach= > >> >>>> e for > >> >>>>> a client system by including a reference and a DNS result for the = > refe= > >> = > >> >> ren= > >> >>>> ce > >> >>>>> causes my paranoia to ratchet up a few notches. The only other = > d > >> = > >> e= > >> >> fense > >> >>>>> against it I see is using Web results only in same-origin web cont= > exts= > >> = > >> >> , a= > >> >>>> nd > >> >>>>> that's going to be very hard to make work. > >> >>>>> > >> >>>> > >> >>>> I am not sure I understand this concern fully. I guess you mean tha= > t > >> >>>> you want to use this only with CD =1 which also implies that you = > w > >> = > >> an= > >> >> t > >> >>>> to use only with DNSSEC . Though this is the primary use case that > >> >>>> this draft is trying to address, should we restrict it ? Previously= > , > >> >>>> your concern was cache poisoning of the HTTP proxies having an impa= > ct > >> >>>> on DNS. If we require HTTPS and POST, is this still a concern ? > >> >>> > >> >>> DO=1 implies DNSSEC. Stubs/forwarders SHOULD NOT set CD=1. = > = > >> 3D= > >> A0The > >> >>> upstream validator needs to filter out the spoofed responses > >> >>> on behalf of the stub/forwarder. > >> >>> > >> >>> Also it is just a "DNS message". UDP/TCP/HTTP/HTTPS is just the > >> >>> transport for the DNS message. > >> >>> > >> >> > >> >> If a validating stub resolver can set CD = 1 for UDP/TCP why not fo= > r > >> >> HTTP or HTTPS ? > >> > > >> > A validating stub resolver really doesn't want to set CD=1, by > >> > default. If it gets SERVFAIL back to a CD=0 query then resending > >> > with CD=1, may help if the SERVFAIL was a validation failure caused > >> > by a bad clock on the recursive server / out of date trust anchors. > >> > A stub resolver *needs* the upstream server to weed out the bogus > >> > responses due to spoofing or, more likely, operational stuff ups > >> > and only pass through those that pass validation. Remember a stub > >> > >> Why does a validating stub resolver care? > > > > Say example.com is served by a DNSSEC aware authoritative server > > (D) and a DNSSEC unaware authoritative server (P). The stub resolver > > Isn't this a broken configuration ? Why do we end up with this configuratio= > n ? Because people make mistakes. I've definitely seen this sort of configuration error. Remember this misconfiguration is indistigishable from a spoof attack. Validators are expected to cope with spoof attacks. They are not expected to cope with MITM attacks other than to reject the bogus answers. > > asks for www.example.com/DO=1/CD=1. The validating recurive server > > get a answer from P (without DNSSEC records) and passes it on. > > Validation fails. The stub resolver asks for www.example.com/DO=1/CD= > =1 > > again and it gets the same answer (from thout DNSSEC records) the > > CD=1 cache and again fails. Rince, lather, repeat. > > > > Now if the stub asks for www.example.com/DO=1/CD=0 the validating > > resolver will reject any answers from P and only pass on answers > > from D (with DNSSEC record) which should then validate. > > So, this is a validating resolver, sets CD=0 (ignoring what is said in > RFC 4035), gets the "proper" responses, ignores the AD bit, > validates the responses. Is this discussed in any document ? No, its not ignoring what is said in RFC 4035, CD=1 is a SHOULD (4.9.2). In this case I'm recommending that defaulting to CD=0 as the default is what should be done and falling back to CD=1 in SERVFAIL is what should be done. AD should be ignored by a validating stub resolver. It's for stubs that trust the resolver, not stubs that validate. As for whether this is documented anywhere, apart from the archive of this list and dns/dnssec lists I doubt it. I've definitely mentioned this before. Mike St John's discussion of CD/DO setting is similar in nature if I'm remembering it correctly. Remember when RFC 4035 was written there was very little experience with validating stub resolvers. There still isn't much but defaulting to CD=1 is clearly wrong. Making stub validating resolvers work well may still require more work or what we have may be "good enough". > > Now if the recursive server doesn't validate or it validates as > > insecure you are left with first senario hoping that you are getting > > answers from the DNSSEC aware authoritative server. > > > > What would help would be a EDNS option to send to the recursive > > server the closest trust anchor(s) and current time so that it can > > validate responses in a consistant manner to the stub resolver. > > This seems complex to me. Perhaps, the operational document should say > that a dnssec signed zone should be served only by dnssec aware > authoritative servers. If there is still an operational error, the > validating resolver should just give up. For example, if i set > DO=1/CD=1 and there are no RRSIGS, then abort and declare insecure. Except you can't do that most of the time because there could be a zone cut that makes that name insecure. Mark > -mohan > > > Mark > > > >> If there was spoofing or other problems, it can find out itself. > >> It is much easier to set CD=1 always. > >> > >> -mohan > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@is= > c.org > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Jakob Schlyter
- [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Aki Tuomi
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Olaf Kolkman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Robert Edmonds
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Patrik Fältström
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Måns Nilsson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ray Bellis
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt bmanning
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- [dnsext] Related to section 5.1 of dnssec-bis-upd… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Olafur Gudmundsson
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mohan Parthasarathy
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews