IETF Logo Mail Archive

Re: [dnsext] draft-bellis-dnsext-dnsproxy-00

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Mon, 03 November 2008 19:34 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB9413A6B90; Mon, 3 Nov 2008 11:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.824
X-Spam-Level:
X-Spam-Status: No, score=-5.824 tagged_above=-999 required=5 tests=[AWL=-0.776, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a88ywce9OPaa; Mon, 3 Nov 2008 11:34:58 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7DD803A696C; Mon, 3 Nov 2008 11:34:51 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Kx58g-000Eru-TQ for namedroppers-data@psg.com; Mon, 03 Nov 2008 19:31:02 +0000
Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <nweaver@ICSI.Berkeley.EDU>) id 1Kx58X-000EqW-LV for namedroppers@ops.ietf.org; Mon, 03 Nov 2008 19:31:00 +0000
Received: from [IPv6:::1] (fruitcake [192.150.186.11]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id mA3JUcoJ022909; Mon, 3 Nov 2008 11:30:38 -0800 (PST)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Ray.Bellis@nominet.org.uk, namedroppers@ops.ietf.org
Message-Id: <0127DE81-27BB-4127-9DC0-2ED25DBE572B@icsi.berkeley.edu>
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
To: bert hubert <bert.hubert@netherlabs.nl>
In-Reply-To: <20081103190014.GB27149@outpost.ds9a.nl>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: [dnsext] draft-bellis-dnsext-dnsproxy-00
Date: Mon, 03 Nov 2008 11:30:38 -0800
References: <OFDEB3E292.34C937FA-ON802574EF.005C7131-802574EF.005D153A@nominet.org.uk> <OFCF9D79AB.6203C74E-ON802574F6.005713B9-802574F6.005724A5@nominet.org.uk> <20081103174613.GA27149@outpost.ds9a.nl> <OFF06D2D25.C41A52AD-ON802574F6.0061EC03-802574F6.006247DD@nominet.org.uk> <20081103190014.GB27149@outpost.ds9a.nl>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Nov 3, 2008, at 11:00 AM, bert hubert wrote:
>
> That would be good - this also argues for not adding heaps of other  
> stuff to
> the RFC - I think everybody would like to have his pet DNS difficulty
> included, but overall that would not help achieve greater compliance.

I think the most important behavior is "Get Outta the Way!"

Namely, any such device MUST not block direct access to an arbitrary  
remote DNS server from an end-host, with the packet payload unchanged,  
and SHOULD not change the UDP SRC port selected by the end-host.

There will always be cases where the policy on any in-path device is  
incorrect.  Therefore the most important policy that a NAT or similar  
device should have with regards to DNS traffic is the ability to  
bypass any proxying or other such manipulation.

This is, IMO, absolutely essential, because everything else can be  
worked around as long as the stub resolver can access whatever  
external resources it deems necessary.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email