Re: [dnsext] draft-mohan-dns-query-xml-00.txt
Mark Andrews <marka@isc.org> Tue, 04 October 2011 04:00 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id CD54221F8EA0; Mon, 3 Oct 2011 21:00:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1317700819; bh=lNhBSKLy82ikdg5Q3rLuXFVtBXiEmV4KgNwCVx7GpW0=;
h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
MIME-Version:Content-Type:Content-Transfer-Encoding:Sender;
b=UpMKsXP//xtL9d3ANfUwkR99Cb9gl8Gv26W2NknMOZO3ZPUCMVW6B3nvUNWeIbEWW
Y8EE+cjXDuy6IRiWRYwTG831rMCiyqYVFhTN0Et2Ig40dBcz/FBHGYskYDgHbA54BG
NVrck0Juq12xdObE2CcUal/BbAtRvNWiGUpHosyo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id D1F5521F8EA0 for <dnsext@ietfa.amsl.com>;
Mon, 3 Oct 2011 21:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=0.850,
BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhKrsyaW-m-T for
<dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 21:00:18 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by
ietfa.amsl.com (Postfix) with ESMTP id C3F2921F8E82 for <dnsext@ietf.org>;
Mon, 3 Oct 2011 21:00:17 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN
"bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org
(Postfix) with ESMTPS id 6D5F8C94A6;
Tue, 4 Oct 2011 04:03:02 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown
[IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by
bikeshed.isc.org (Postfix) with ESMTPSA id EFA67216C56;
Tue, 4 Oct 2011 04:03:01 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org
(Postfix) with ESMTP id 324041492901; Tue, 4 Oct 2011 15:02:59 +1100 (EST)
To: Mohan <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com>
<201110010458.26859.vixie@isc.org>
<8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com>
<201110031713.20103.vixie@isc.org>
<54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org>
<CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com>
<CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
<20111004001547.7ED7C149063F@drugs.dv.isc.org>
<CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
<20111004025502.504DD14924EC@drugs.dv.isc.org>
<F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
In-reply-to: Your message of "Mon, 03 Oct 2011 20:17:48 PDT."
<F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
Date: Tue, 04 Oct 2011 15:02:59 +1100
Message-Id: <20111004040259.324041492901@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>,
DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>om>, Mohan writes: > > > On Oct 3, 2011, at 7:55 PM, Mark Andrews <marka@isc.org> wrote: > > > > > In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gma= > il.com> > > , Mohan Parthasarathy writes: > >> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote: > >>> > >>> In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gma= > i= > >> l.com>, Mohan Parthasarathy writes: > >>>> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:= > > >>>>> On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> = > 3D= > > >> wro= > >>>> te: > >>>>>> > >>>>>> +1. The slight increase in programming difficulty of using POST vs. G= > = > >> ET > >>>>>> buys you a huge amount of flexibility in queries. It's not just about= > > >>>>>> cache-prevention. > >>>>>> > >>>>> > >>>>> All silver linings have their clouds... The only unfortunate th= > in= > >> g abo= > >>>> ut > >>>>> POST, in my view, is that the flexibility can trend you away from > >>>>> interoperability as people add and change things at different= > = > 3DA= > >> 0 speed= > >>>> s at > >>>>> different hosts. If you want standard behavior the descending l= > is= > >> t goe= > >>>> s: > >>>>> New Method, GET, POST, at least in my view. > >>>>> > >>>>> Since new methods are notoriously hard to get deployed, POST seems lik= > = > >> e t= > >>>> he > >>>>> best choice if you want something that can handle any DNS operation.= > = > > >> I= > >>>> f it > >>>>> is meant to be only retrieval, then I would personally say that keepin= > = > >> g it > >>>>> within GET is the best choice. > >>>>> > >>>>> I'm also increasingly of the opinion that this should have the validat= > = > >> ion > >>>>> bits sets by default. Allowing a web site to update the local D= > NS= > >> cach= > >>>> e for > >>>>> a client system by including a reference and a DNS result for the refe= > = > >> ren= > >>>> ce > >>>>> causes my paranoia to ratchet up a few notches. The only other d > = > e= > >> fense > >>>>> against it I see is using Web results only in same-origin web contexts= > = > >> , a= > >>>> nd > >>>>> that's going to be very hard to make work. > >>>>> > >>>> > >>>> I am not sure I understand this concern fully. I guess you mean that > >>>> you want to use this only with CD =1 which also implies that you w > = > an= > >> t > >>>> to use only with DNSSEC . Though this is the primary use case that > >>>> this draft is trying to address, should we restrict it ? Previously, > >>>> your concern was cache poisoning of the HTTP proxies having an impact > >>>> on DNS. If we require HTTPS and POST, is this still a concern ? > >>> > >>> DO=1 implies DNSSEC. Stubs/forwarders SHOULD NOT set CD=1. = > 3D= > A0The > >>> upstream validator needs to filter out the spoofed responses > >>> on behalf of the stub/forwarder. > >>> > >>> Also it is just a "DNS message". UDP/TCP/HTTP/HTTPS is just the > >>> transport for the DNS message. > >>> > >> > >> If a validating stub resolver can set CD = 1 for UDP/TCP why not for > >> HTTP or HTTPS ? > > > > A validating stub resolver really doesn't want to set CD=1, by > > default. If it gets SERVFAIL back to a CD=0 query then resending > > with CD=1, may help if the SERVFAIL was a validation failure caused > > by a bad clock on the recursive server / out of date trust anchors. > > A stub resolver *needs* the upstream server to weed out the bogus > > responses due to spoofing or, more likely, operational stuff ups > > and only pass through those that pass validation. Remember a stub > > Why does a validating stub resolver care? Say example.com is served by a DNSSEC aware authoritative server (D) and a DNSSEC unaware authoritative server (P). The stub resolver asks for www.example.com/DO=1/CD=1. The validating recurive server get a answer from P (without DNSSEC records) and passes it on. Validation fails. The stub resolver asks for www.example.com/DO=1/CD=1 again and it gets the same answer (from thout DNSSEC records) the CD=1 cache and again fails. Rince, lather, repeat. Now if the stub asks for www.example.com/DO=1/CD=0 the validating resolver will reject any answers from P and only pass on answers from D (with DNSSEC record) which should then validate. Now if the recursive server doesn't validate or it validates as insecure you are left with first senario hoping that you are getting answers from the DNSSEC aware authoritative server. What would help would be a EDNS option to send to the recursive server the closest trust anchor(s) and current time so that it can validate responses in a consistant manner to the stub resolver. Mark > If there was spoofing or other problems, it can find out itself. > It is much easier to set CD=1 always. > > -mohan -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Aki Tuomi
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Olaf Kolkman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Robert Edmonds
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Jakob Schlyter
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Patrik Fältström
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Måns Nilsson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ray Bellis
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt bmanning
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- [dnsext] Related to section 5.1 of dnssec-bis-upd… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Olafur Gudmundsson
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mohan Parthasarathy
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews