IETF Logo Mail Archive

Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 - WG Item?

Ray.Bellis@nominet.org.uk Tue, 04 November 2008 17:50 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0247B3A69C3; Tue, 4 Nov 2008 09:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.535
X-Spam-Level:
X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[AWL=-0.236, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RS-55dcJjwl9; Tue, 4 Nov 2008 09:50:33 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DCE6F3A6BA5; Tue, 4 Nov 2008 09:50:32 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KxPxG-000Cxb-UC for namedroppers-data@psg.com; Tue, 04 Nov 2008 17:44:38 +0000
Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <Ray.Bellis@nominet.org.uk>) id 1KxPwv-000CsI-52 for namedroppers@ops.ietf.org; Tue, 04 Nov 2008 17:44:28 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=er/0v6K5S2NqwAMuOJRm1lJBYXiJUhJoLrvej1nqROv/nHRkWkeVEKoz GJQrMlTVBRujYUZIS0mrKSUX92NlEtVkZQOtq0dx7mbKI9edpvlN6hwJ7 GfsBB9IG1PDpCu8;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1225820657; x=1257356657; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray.Bellis@nominet.org.uk|Subject:=20Re:=20[dnse xt]=20draft-bellis-dnsext-dnsproxy-00=20-=20WG=20Item? |Date:=20Tue,=204=20Nov=202008=2017:44:14=20+0000 |Message-ID:=20<OF5682BF4C.2F03914D-ON802574F7.006109F1-8 02574F7.00616F41@nominet.org.uk>|To:=20Nicholas=20Weaver =20<nweaver@ICSI.Berkeley.EDU>|Cc:=20namedroppers@ops.iet f.org|MIME-Version:=201.0|In-Reply-To:=20<52479FB1-3DF7-4 0C0-AD9B-502BC6E60F75@icsi.berkeley.edu>|References:=20<O FC2B4769A.688DDF76-ON802574F7.004DE059-802574F7.004E250A@ nominet.org.uk>=20<200811041648.mA4Gmxv9060421@stora.ogud .com>=20<52479FB1-3DF7-40C0-AD9B-502BC6E60F75@icsi.berkel ey.edu>; bh=B1KNBXHd3lEijlRUPmsX2rlZvGcCUAdMl5ArHgh0rIY=; b=CZCM+/kWPVmA6GMjYmh0g0w2jzDsMduApdcUAo/rmP4f3VwVIkigGQwP oAkRR9XfcAPfIH3Dd4ZjZ+7d10xD0+J0/0ZNsmxVyx9i/WiFFCwu2JvRQ 7pweyHRiPSQYkuy;
X-IronPort-AV: E=Sophos;i="4.33,544,1220223600"; d="scan'208";a="6728413"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 04 Nov 2008 17:44:15 +0000
In-Reply-To: <52479FB1-3DF7-40C0-AD9B-502BC6E60F75@icsi.berkeley.edu>
References: <OFC2B4769A.688DDF76-ON802574F7.004DE059-802574F7.004E250A@nominet.org.uk> <200811041648.mA4Gmxv9060421@stora.ogud.com> <52479FB1-3DF7-40C0-AD9B-502BC6E60F75@icsi.berkeley.edu>
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 - WG Item?
MIME-Version: 1.0
X-Mailer: Lotus Notes Build V85_M2_08202008 August 20, 2008
Message-ID: <OF5682BF4C.2F03914D-ON802574F7.006109F1-802574F7.00616F41@nominet.org.uk>
From: Ray.Bellis@nominet.org.uk
Date: Tue, 04 Nov 2008 17:44:14 +0000
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 04/11/2008 05:44:15 PM, Serialize complete at 04/11/2008 05:44:15 PM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> The only one (which I've already mentioned) is bypassibility:  Unless 
> the proxy is specifically implementing a security policy (an IDS 
> rather than a NAT), the end resolver should be allowed to direct its 
> own queries and bypass the proxy completely.

The good news, based on the tests that resulted in SAC035, is that of the 
24 units we tested we had negligible problems routing queries directly to 
pre-configured upstream resolvers.

One unit would initially only permit queries to the same servers as had 
been learned over WAN DHCP, but a firmware update resolved that.

Another unit had an occasional memory leak when handling large(ish) EDNS0 
packets, but otherwise worked fine.

That's why there's nothing in the draft about this at the moment, but I 
can't see that it would hurt to add something.

However, as you hint at, we must also be sensitive to the requirement that 
sometimes walled-gardens and other security policies mandate that the end 
user must use the proxy.  In those cases we should consider guidance as to 
how the proxy can help effect the walled-garden without interfering with 
DNSSEC and/or TSIG.

kind regards,

Ray

-- 
Ray Bellis, MA(Oxon)
Senior Researcher in Advanced Projects, Nominet
e: ray@nominet.org.uk, t: +44 1865 332211

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email