IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Brian Dickson <brian.peter.dickson@gmail.com> Sun, 02 October 2011 01:01 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A1C721F8E44; Sat, 1 Oct 2011 18:01:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317517274; bh=z1kZ45RB13D3uUigkUkx9z8PM9evmpKKGndZqUP5t5Q=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=QbkUCTB79uLQwFGJlSo1FGcmvKAooZiPufuQoVLEZb4fdwMzLgJ7XIEpKD2E2hnhd 3g1LjNe7IUj3Jq2aYgi7zDW7UM+BhYQOltnLA+zhLoNsrSXSEbxp6ZyK5K/NhqcVyW MR0c4ixmtDSeZbHQceX1eJCeLX74NOk1+mEUgolU=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9743F21F8E42 for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 18:01:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL5Je0aoCZqy for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 18:01:12 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id C230F21F8E41 for <dnsext@ietf.org>; Sat, 1 Oct 2011 18:01:11 -0700 (PDT)
Received: by bkaq10 with SMTP id q10so3892028bka.31 for <dnsext@ietf.org>; Sat, 01 Oct 2011 18:04:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=YBYSCAdcEatO1/Mnw63Dv2Wn+XUsbmMK3S85QOI3Z5M=; b=i0Jj/Zz91xomUxXThvCMk836sxE+f8vHj6NlNv2bLcoCXTJRO3rlSdMyqIDSCpElDm qbqgrtuqVz0bPRcq8fIuT9gULsmhOxxJ/Ud2JdqUyw9RLPEfojoDLp9uLqqSkYV6AV4A jZl9FeTErYd7rorPx1VTEUAQQ8tLtNznQ1pJM=
MIME-Version: 1.0
Received: by 10.223.55.218 with SMTP id v26mr8896701fag.82.1317517449226; Sat, 01 Oct 2011 18:04:09 -0700 (PDT)
Received: by 10.223.144.135 with HTTP; Sat, 1 Oct 2011 18:04:09 -0700 (PDT)
In-Reply-To: <6F36FE11-36C6-4F56-B6C7-50B9C3705C13@virtualized.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <0394FB3B-6C2B-4D47-B1FA-AA54B7EB1053@kirei.se> <DDD7529C-9EF3-427F-AF90-2872CCD71ECF@cisco.com> <201110010458.26859.vixie@isc.org> <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu> <5C4E07BC-E6CC-45A6-8018-10C2A799A55E@vpnc.org> <66077D12-F568-426A-8E5C-CC077CC24622@ICSI.Berkeley.EDU> <33BA32D8CFF5BCB5D2895142@nimrod.local> <4C6F86F7-9FFD-4C71-B1A0-4CCD56E48D12@ICSI.Berkeley.EDU> <6F36FE11-36C6-4F56-B6C7-50B9C3705C13@virtualized.org>
Date: Sat, 1 Oct 2011 21:04:09 -0400
Message-ID: <CAH1iCiqjQSr-OHm004xV7Ex+aAswZEzBxaRcL6pNuzU4RgoJjw@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: David Conrad <drc@virtualized.org>
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Sat, Oct 1, 2011 at 5:26 PM, David Conrad <drc@virtualized.org> wrote:
> On Oct 1, 2011, at 11:08 AM, Nicholas Weaver wrote:
>> Since thats likely to the the same sort of network where you can't bypass the DNS borkenness by TCP or UDP port 53, this could be a problem.
>
> This succinctly captures my ill-ease about this proposal.
>
> Pretending (in effect) HTTP{,S} is IPv7 will work until the network administrators/middlebox vendors decide they want to block/intercept that traffic. Then what?  How many levels of turtles are we willing to go down?

Including this, depending on how you count, one, or two if you treat
http and https in this proposal as two turtles instead of one.

Here's why:

Intercept precludes https (since the "s" means end-to-end TLS).
And blocking https requires some way of determining what to block, on
a destination basis alone, for the same reason. The http component is
opaque in an https connection, protected by the TLS connection.

So, in the case of the middlebox vendors or network administrators not
reacting to the use of DNS over HTTP(S), problem solved. Otherwise, it
then becomes baby+bathwater for those trying to block this, based only
on IP addresses. Name-based HTTP servers that support this (on 80 or
443) on shared infrastructure (web hosting etc.), plus popularity of
use (large numbers of sites and/or well known large sites), including
phone-home use with client-authentication by HTTPS servers, means
there will be significant benefit to this, and significant pressure to
not try to break it (at least in the HTTPS case).

Where practical to do so, eg for business enterprise employees away
from the office, having server running on both 80 and 443 is ideal. If
80 works, there is low cost for doing this. If 80 does not (ie blocked
or mangled), 443 should. Blocking 443 on a given IP is particularly
ill-advised for hot-spot operators and hotels.

As for encoding, I definitely support wire-format over XML.

Brian
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email