IETF Logo Mail Archive

Re: XQID (Re: Forgery Resistance phase #2 )

Jelte Jansen <jelte@NLnetLabs.nl> Wed, 30 July 2008 18:14 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C25AA3A6C2F; Wed, 30 Jul 2008 11:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.288
X-Spam-Level:
X-Spam-Status: No, score=-102.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev9oVjqezRPL; Wed, 30 Jul 2008 11:14:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D3E543A6972; Wed, 30 Jul 2008 11:14:14 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KOG6x-0001AC-AY for namedroppers-data@psg.com; Wed, 30 Jul 2008 18:09:19 +0000
Received: from [2001:7b8:206:1:7200:ff:fe00:28e3] (helo=sol.nlnetlabs.nl) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jelte@NLnetLabs.nl>) id 1KOG6t-00019f-1J for namedroppers@ops.ietf.org; Wed, 30 Jul 2008 18:09:17 +0000
Received: from jelte (vhe-520087.sshn.net [195.169.221.157]) by sol.nlnetlabs.nl (Postfix) with ESMTP id C56E013002C; Wed, 30 Jul 2008 20:09:13 +0200 (CEST)
Received: from [192.168.8.11] (dragon [192.168.8.11]) by jelte (Postfix) with ESMTP id 51015CF982; Wed, 30 Jul 2008 20:09:13 +0200 (CEST)
Message-ID: <4890AE49.7040006@NLnetLabs.nl>
Date: Wed, 30 Jul 2008 20:09:13 +0200
From: Jelte Jansen <jelte@NLnetLabs.nl>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: Paul Vixie <vixie@isc.org>
Cc: namedroppers@ops.ietf.org
Subject: Re: XQID (Re: Forgery Resistance phase #2 )
References: <200807281555.m6SFsxAO021711@stora.ogud.com> <027b01c8f17e$f99b0a80$ecd11f80$@com> <1135.1217352731@nsa.vix.com>
In-Reply-To: <1135.1217352731@nsa.vix.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Vixie wrote:
>> I think my XQID suggestion (http://www.jhsoft.com/dns-xqid.htm) which by
>> the way seems like a even better idea in light of the Kaminsky bug, is
>> somewhere in your list already.
> 
> if we can amend the edns spec to require that for the XQID option, a reply
> without XQID will cause the transaction to be repeated several times across
> all of the zone's nameservers, with a different random UDP port and 16-bit
> QID each time, then i will support the XQID proposal.  (this logic for
> repeat-on-suspicion is more or less what we're recommending in 0x20, and
> it's possible that if there are enough 0x20 bits available, then an XQID
> could be made optional for that transaction.)
> 

correct me if i'm wrong, but i think you might be confusing two
proposals here. XQID and the EDNS PING proposal. XQID appends entropy to
the actual query name, and shouldn't be downgradeable by leaving out
something (because then the answer wouldn't be the same as the query).

Using EDNS PING is 'cleaner' (it doesn't muck with the query), but would
need something like you ask for here.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIkK5J4nZCKsdOncURAvtOAJ427eN0V+fScDIKXbb59rKhyk9JDACglknN
QlLw6qkqdjuqKkcIrGLyktw=
=tRLv
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.45.0 | Report a Bug | By Email | System Status