Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Mohan Parthasarathy <suruti94@gmail.com> Wed, 28 September 2011 23:45 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5183C1F0C4E; Wed, 28 Sep 2011 16:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317253538; bh=g1iYCaIZG2klyjJrZ6F5QQPcx1FOW7VDzmHhf/Vnj/4=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ayysU68f6B1sqHy76B6etuqzkK2uiZZ2oEElGl8r665lYHA+c+9Ch++pq9tDzLBGj 0j9NUhYPvAYwy9nR4v+2JQAzOKqrpTrZfu50QnMmuMgC5A3YqmoLmXWzh+T/1z40qj EbguyMRWKbhSbLNAdfy/EtTlicdf7KhK3A/HQFow=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A85511E815A for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 16:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Gn8kvWh4Enx for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 16:45:36 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id BC05C11E8159 for <dnsext@ietf.org>; Wed, 28 Sep 2011 16:45:36 -0700 (PDT)
Received: by yxt33 with SMTP id 33so138497yxt.31 for <dnsext@ietf.org>; Wed, 28 Sep 2011 16:48:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=dSWpgm9150fnXSU63w6NGtAA3nO79SQvcyx91SR8RUs=; b=HlySqWOomt/xxGILRe4Ql5U/IQGuBjVFS3mbDevBK+M/SryhGrhH8kviKGOl8x4xDs 7feqxQLFBxnKJUushxEHNDMtNko4fBf267F2Zb82RoVWPtf7pYgY/Gcu/PgET0uQIORr MGOlPJmBgnJe61txSB238FkHczZFMG4kK9/tA=
MIME-Version: 1.0
Received: by 10.68.58.138 with SMTP id r10mr7148850pbq.72.1317253705744; Wed, 28 Sep 2011 16:48:25 -0700 (PDT)
Received: by 10.68.46.200 with HTTP; Wed, 28 Sep 2011 16:48:25 -0700 (PDT)
In-Reply-To: <71422E92-1832-4703-98F4-62FB839A5235@icsi.berkeley.edu>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <alpine.LFD.1.10.1109281525430.25654@newtla.xelerance.com> <CACU5sDk-2NeWgp-MBt1O0=MoP1mnH5UgWY1PuYK_YyJTpJ256Q@mail.gmail.com> <71422E92-1832-4703-98F4-62FB839A5235@icsi.berkeley.edu>
Date: Wed, 28 Sep 2011 16:48:25 -0700
Message-ID: <CACU5sDkmovsrEup9=PzTa7edgA9Z_jQvSEF07JM7mwOAs_mYbg@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, Sep 28, 2011 at 2:16 PM, Nicholas Weaver
<nweaver@icsi.berkeley.edu> wrote:
>
> On Sep 28, 2011, at 2:07 PM, Mohan Parthasarathy wrote:
>> If I want to be able to run both my web service and DNS service from
>> the same address, then I can't just run DNS alone over 80/443.
>
> Have you looked at just running normal DNS recursively from the end host, including failover to TCP when things are obviously breaking?
>
> We don't have ALL the information yet (our test is not comprehensive enough), but most systems CAN do direct fetches on UDP or TCP if they must: non-functioning recursive resolvers should not be a problem for DNSSEC validation.
>

I am not sure I understand the question. If you are dependent on a
recursive server to fetch the DNSSEC records, then that server needs
to be DNSSEC aware. If you are operating in iterative mode fetching it
yourself, then it does not work in environments where firewalls
normally prohibit talking to external name servers. Which one are you
talking about ? We had a lengthy discussion about the various options
in the dnssec-deployment group recently.

> In fact, for the purposes of A records, etc, just the recursive request from the end host is enough to be "close enough" to the security effect you would get from full DNSSEC validation.  (DANE or the like, where DNSSEC is used to validate key material not host->IP mappings, requires end-host validation)
>
>

Why do you assume that the draft is not applicable for DANE use case ?

-mohan
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext