IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Mark Andrews <marka@isc.org> Tue, 04 October 2011 04:00 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD54221F8EA0; Mon, 3 Oct 2011 21:00:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317700819; bh=lNhBSKLy82ikdg5Q3rLuXFVtBXiEmV4KgNwCVx7GpW0=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=UpMKsXP//xtL9d3ANfUwkR99Cb9gl8Gv26W2NknMOZO3ZPUCMVW6B3nvUNWeIbEWW Y8EE+cjXDuy6IRiWRYwTG831rMCiyqYVFhTN0Et2Ig40dBcz/FBHGYskYDgHbA54BG NVrck0Juq12xdObE2CcUal/BbAtRvNWiGUpHosyo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F5521F8EA0 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 21:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=0.850, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhKrsyaW-m-T for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 21:00:18 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id C3F2921F8E82 for <dnsext@ietf.org>; Mon, 3 Oct 2011 21:00:17 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 6D5F8C94A6; Tue, 4 Oct 2011 04:03:02 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id EFA67216C56; Tue, 4 Oct 2011 04:03:01 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 324041492901; Tue, 4 Oct 2011 15:02:59 +1100 (EST)
To: Mohan <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com> <20111004001547.7ED7C149063F@drugs.dv.isc.org> <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com> <20111004025502.504DD14924EC@drugs.dv.isc.org> <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
In-reply-to: Your message of "Mon, 03 Oct 2011 20:17:48 PDT." <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
Date: Tue, 04 Oct 2011 15:02:59 +1100
Message-Id: <20111004040259.324041492901@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>om>, Mohan writes:
> 
> 
> On Oct 3, 2011, at 7:55 PM, Mark Andrews <marka@isc.org> wrote:
> 
> > 
> > In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gma=
> il.com>
> > , Mohan Parthasarathy writes:
> >> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote:
> >>> 
> >>> In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gma=
> i=
> >> l.com>, Mohan Parthasarathy writes:
> >>>> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:=
> 
> >>>>> On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> =
> 3D=
> 
> >> wro=
> >>>> te:
> >>>>>> 
> >>>>>> +1. The slight increase in programming difficulty of using POST vs. G=
> =
> >> ET
> >>>>>> buys you a huge amount of flexibility in queries. It's not just about=
> 
> >>>>>> cache-prevention.
> >>>>>> 
> >>>>> 
> >>>>> All silver linings have their clouds...  The only unfortunate th=
> in=
> >> g abo=
> >>>> ut
> >>>>> POST, in my view, is that the flexibility can trend you away from
> >>>>> interoperability as people add and change things at  different=
> =
> 3DA=
> >> 0 speed=
> >>>> s at
> >>>>> different hosts.  If you want standard behavior the descending l=
> is=
> >> t goe=
> >>>> s:
> >>>>> New Method, GET, POST, at least in my view.
> >>>>> 
> >>>>> Since new methods are notoriously hard to get deployed, POST seems lik=
> =
> >> e t=
> >>>> he
> >>>>> best choice if you want something that can handle any DNS operation.=
> =
> 
> >>   I=
> >>>> f it
> >>>>> is meant to be only retrieval, then I would personally say that keepin=
> =
> >> g it
> >>>>> within GET is the best choice.
> >>>>> 
> >>>>> I'm also increasingly of the opinion that this should have the validat=
> =
> >> ion
> >>>>> bits sets by default.  Allowing a web site to update the local D=
> NS=
> >> cach=
> >>>> e for
> >>>>> a client system by including a reference and a DNS result for the refe=
> =
> >> ren=
> >>>> ce
> >>>>> causes my paranoia to ratchet up a few notches.  The only other d
> =
> e=
> >> fense
> >>>>> against it I see is using Web results only in same-origin web contexts=
> =
> >> , a=
> >>>> nd
> >>>>> that's going to be very hard to make work.
> >>>>> 
> >>>> 
> >>>> I am not sure I understand this concern fully. I guess you mean that
> >>>> you want to use this only with CD =1 which also implies that you w
> =
> an=
> >> t
> >>>> to use only with DNSSEC . Though this is the primary use case that
> >>>> this draft is trying to address, should we restrict it ? Previously,
> >>>> your concern was cache poisoning of the HTTP proxies having an impact
> >>>> on DNS. If we require HTTPS and POST, is this still a concern ?
> >>> 
> >>> DO=1 implies DNSSEC.  Stubs/forwarders SHOULD NOT set CD=1. =
> 3D=
> A0The
> >>> upstream validator needs to filter out the spoofed responses
> >>> on behalf of the stub/forwarder.
> >>> 
> >>> Also it is just a "DNS message". UDP/TCP/HTTP/HTTPS is just the
> >>> transport for the DNS message.
> >>> 
> >> 
> >> If a validating stub resolver can set CD = 1 for UDP/TCP why not for
> >> HTTP or HTTPS ?
> > 
> > A validating stub resolver really doesn't want to set CD=1, by
> > default.  If it gets SERVFAIL back to a CD=0 query then resending
> > with CD=1, may help if the SERVFAIL was a validation failure caused
> > by a bad clock on the recursive server / out of date trust anchors.
> > A stub resolver *needs* the upstream server to weed out the bogus
> > responses due to spoofing or, more likely, operational stuff ups
> > and only pass through those that pass validation.  Remember a stub
> 
> Why does a validating stub resolver care?

Say example.com is served by a DNSSEC aware authoritative server
(D) and a DNSSEC unaware authoritative server (P).  The stub resolver
asks for www.example.com/DO=1/CD=1.  The validating recurive server
get a answer from P (without DNSSEC records) and passes it on.
Validation fails.  The stub resolver asks for www.example.com/DO=1/CD=1
again and it gets the same answer (from thout DNSSEC records) the
CD=1 cache and again fails.  Rince, lather, repeat.

Now if the stub asks for www.example.com/DO=1/CD=0 the validating
resolver will reject any answers from P and only pass on answers
from D (with DNSSEC record) which should then validate.

Now if the recursive server doesn't validate or it validates as
insecure you are left with first senario hoping that you are getting
answers from the DNSSEC aware authoritative server.

What would help would be a EDNS option to send to the recursive
server the closest trust anchor(s) and current time so that it can
validate responses in a consistant manner to the stub resolver.

Mark

> If there was spoofing or other problems, it can find out itself.
> It is much easier to set CD=1 always.
>
> -mohan
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email