IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

bmanning@vacation.karoshi.com Wed, 05 October 2011 15:43 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F95011E8085; Wed, 5 Oct 2011 08:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317829424; bh=Vxzw/13UE/G2OeP/96XvTp1lSOT4XrxfGRkHyj7d/F4=; h=Date:From:To:Message-ID:References:Mime-Version:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=yubOAg6rLw6KxN5YOXpzEvQdJckG4EoTGRh9gpNF22Psivu8KqeBErucLleK2SGJk W0BHZD2uwtJL+2MfQcyV6V98Hc3hWt4NSeIWD271YPPcSaa2vgDRSfzSwMpzX779bg lkCpT2BNVC/OLTjMX4C+r3uyZTRG4/8tWWQZnPZY=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D36681F0C38 for <dnsext@ietfa.amsl.com>; Wed, 5 Oct 2011 08:43:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.225
X-Spam-Level:
X-Spam-Status: No, score=-6.225 tagged_above=-999 required=5 tests=[AWL=0.374, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnbEVJ06lfq9 for <dnsext@ietfa.amsl.com>; Wed, 5 Oct 2011 08:43:42 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id E269D1F0C35 for <dnsext@ietf.org>; Wed, 5 Oct 2011 08:43:41 -0700 (PDT)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id p95FjCEE004853; Wed, 5 Oct 2011 15:45:32 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id p95Fipoc004852; Wed, 5 Oct 2011 15:44:51 GMT
Date: Wed, 05 Oct 2011 15:44:41 +0000
From: bmanning@vacation.karoshi.com
To: David Conrad <drc@virtualized.org>
Message-ID: <20111005154441.GB3823@vacation.karoshi.com.>
References: <20111004143947.205a61dff9fc1684c258b274662bb912.04bcda2f2f.wbe@email00.secureserver.net> <CAH1iCir9T0kSL=_-f_FW1jcfN3D+z5tHc18ML0L9h5Znm45vZw@mail.gmail.com> <24EEC86B-DE62-477E-8E77-1A8683803667@virtualized.org>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <24EEC86B-DE62-477E-8E77-1A8683803667@virtualized.org>
User-Agent: Mutt/1.4.1i
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, Oct 05, 2011 at 07:25:39AM -0700, David Conrad wrote:
> On Oct 4, 2011, at 3:54 PM, Brian Dickson wrote:
> > This proposal is a very lightweight and elegant (IMHO) counter-counter-measure.
> 
> Not really. It is a hack that, if implemented, will ensure there is no pressure to actually fix broken infrastructures.  Realistically:
> 
> - states-sponsored censorship will continue to occur: states have a tendency to insist on that sort of thing, with guns if necessary;
> - folks intentionally blocking working DNS to force the use of their name servers will figure out a way to continue blocking DNS: I have sufficient faith in the tenacity of such folks that all this will do is result in a cat-and-mouse game (e.g., it won't be that hard to figure out which HTTP{,S} server IP addresses to blacklist);
> - middlebox vendors and lazy DNS operators won't need to fix their DNS implementations because there is now a HTTP{,S} bypass for the folks that whine about such things; and
> - we now have to saddle DNSSEC server implementations (auth and recursive) with yet more complexity.  Permanently.

	complexity is a serious problem for maintaining a secure and auditable system.
	there is no clear, crisp engineering reason to persue this tactic... it is, as
	stated, a counter-counter measure... looks like an arms race to me, not useful
	engineering.

> This feels like the wrong way to solve this problem.

	amen.  (sorry - too religious -  +1)

/bill

> 
> Regards,
> -drc
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email