Re: [dnsext] draft-mohan-dns-query-xml-00.txt
Mohan Parthasarathy <suruti94@gmail.com> Tue, 04 October 2011 04:40 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id E047021F8F2B; Mon, 3 Oct 2011 21:40:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1317703253; bh=FlTBBVThtFIwb4J/VpEYe+CJrSd0891Tfc8Eljv8Tng=;
h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:
List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender;
b=uWlZTfXp6bHw2i6T3zR40pqzqhLnCEnb+YQXaCnKGORm4AhadIe6lkIo2901+JDl5
FiqoxFsjcj6akUhET1rcufTnsGsy30jvKQnqWS8l4jIAy32iaGTcqXMcQUitSIxBXj
UrWl4ULT9pnmDzVfwtCdKCkKY6KhVm6ba+l/ep3Y=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id A3FC421F8F2B for <dnsext@ietfa.amsl.com>;
Mon, 3 Oct 2011 21:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-0.300,
BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8rzFqzoICCf for
<dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 21:40:50 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com
[209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6F79E21F8F29 for
<dnsext@ietf.org>; Mon, 3 Oct 2011 21:40:50 -0700 (PDT)
Received: by yxt33 with SMTP id 33so127107yxt.31 for <dnsext@ietf.org>;
Mon, 03 Oct 2011 21:43:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type:content-transfer-encoding;
bh=0oReWdodsbRMrBdQuHFEkhXuwOqMpyzrJ0+ae45s31M=;
b=kWdkL6xj30LiVAqvbROtq7sQHbMoaGqyHeUAtLhWCbZorzAF4W6OlDuGVWNg7jHhvO
99117FLeLhcTXVSyXOsDUdoaEPlaoEvQQXG56WsHWNOdft0rqjlmipHy00Fi8SrOhU4c
43+2j8q7w+xkcUoCKJS6aEk4jQPrFYVrvh90I=
MIME-Version: 1.0
Received: by 10.68.32.130 with SMTP id j2mr6652261pbi.4.1317703433844;
Mon, 03 Oct 2011 21:43:53 -0700 (PDT)
Received: by 10.68.46.200 with HTTP; Mon, 3 Oct 2011 21:43:53 -0700 (PDT)
In-Reply-To: <20111004040259.324041492901@drugs.dv.isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com>
<201110010458.26859.vixie@isc.org>
<8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com>
<201110031713.20103.vixie@isc.org>
<54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org>
<CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com>
<CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
<20111004001547.7ED7C149063F@drugs.dv.isc.org>
<CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
<20111004025502.504DD14924EC@drugs.dv.isc.org>
<F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
<20111004040259.324041492901@drugs.dv.isc.org>
Date: Mon, 3 Oct 2011 21:43:53 -0700
Message-ID: <CACU5sDnCB62cbBYW_E26fcmGuKU0+V_-BSeF=pjyvB2dyGw_Qw@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>,
DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Mon, Oct 3, 2011 at 9:02 PM, Mark Andrews <marka@isc.org> wrote: > > In message <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>om>, Mohan writes: >> >> >> On Oct 3, 2011, at 7:55 PM, Mark Andrews <marka@isc.org> wrote: >> >> > >> > In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gma= >> il.com> >> > , Mohan Parthasarathy writes: >> >> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote: >> >>> >> >>> In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gma= >> i= >> >> l.com>, Mohan Parthasarathy writes: >> >>>> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:= >> >> >>>>> On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> = >> 3D= >> >> >> wro= >> >>>> te: >> >>>>>> >> >>>>>> +1. The slight increase in programming difficulty of using POST vs. G= >> = >> >> ET >> >>>>>> buys you a huge amount of flexibility in queries. It's not just about= >> >> >>>>>> cache-prevention. >> >>>>>> >> >>>>> >> >>>>> All silver linings have their clouds... The only unfortunate th= >> in= >> >> g abo= >> >>>> ut >> >>>>> POST, in my view, is that the flexibility can trend you away from >> >>>>> interoperability as people add and change things at different= >> = >> 3DA= >> >> 0 speed= >> >>>> s at >> >>>>> different hosts. If you want standard behavior the descending l= >> is= >> >> t goe= >> >>>> s: >> >>>>> New Method, GET, POST, at least in my view. >> >>>>> >> >>>>> Since new methods are notoriously hard to get deployed, POST seems lik= >> = >> >> e t= >> >>>> he >> >>>>> best choice if you want something that can handle any DNS operation.= >> = >> >> >> I= >> >>>> f it >> >>>>> is meant to be only retrieval, then I would personally say that keepin= >> = >> >> g it >> >>>>> within GET is the best choice. >> >>>>> >> >>>>> I'm also increasingly of the opinion that this should have the validat= >> = >> >> ion >> >>>>> bits sets by default. Allowing a web site to update the local D= >> NS= >> >> cach= >> >>>> e for >> >>>>> a client system by including a reference and a DNS result for the refe= >> = >> >> ren= >> >>>> ce >> >>>>> causes my paranoia to ratchet up a few notches. The only other d >> = >> e= >> >> fense >> >>>>> against it I see is using Web results only in same-origin web contexts= >> = >> >> , a= >> >>>> nd >> >>>>> that's going to be very hard to make work. >> >>>>> >> >>>> >> >>>> I am not sure I understand this concern fully. I guess you mean that >> >>>> you want to use this only with CD =1 which also implies that you w >> = >> an= >> >> t >> >>>> to use only with DNSSEC . Though this is the primary use case that >> >>>> this draft is trying to address, should we restrict it ? Previously, >> >>>> your concern was cache poisoning of the HTTP proxies having an impact >> >>>> on DNS. If we require HTTPS and POST, is this still a concern ? >> >>> >> >>> DO=1 implies DNSSEC. Stubs/forwarders SHOULD NOT set CD=1. = >> 3D= >> A0The >> >>> upstream validator needs to filter out the spoofed responses >> >>> on behalf of the stub/forwarder. >> >>> >> >>> Also it is just a "DNS message". UDP/TCP/HTTP/HTTPS is just the >> >>> transport for the DNS message. >> >>> >> >> >> >> If a validating stub resolver can set CD = 1 for UDP/TCP why not for >> >> HTTP or HTTPS ? >> > >> > A validating stub resolver really doesn't want to set CD=1, by >> > default. If it gets SERVFAIL back to a CD=0 query then resending >> > with CD=1, may help if the SERVFAIL was a validation failure caused >> > by a bad clock on the recursive server / out of date trust anchors. >> > A stub resolver *needs* the upstream server to weed out the bogus >> > responses due to spoofing or, more likely, operational stuff ups >> > and only pass through those that pass validation. Remember a stub >> >> Why does a validating stub resolver care? > > Say example.com is served by a DNSSEC aware authoritative server > (D) and a DNSSEC unaware authoritative server (P). The stub resolver Isn't this a broken configuration ? Why do we end up with this configuration ? > asks for www.example.com/DO=1/CD=1. The validating recurive server > get a answer from P (without DNSSEC records) and passes it on. > Validation fails. The stub resolver asks for www.example.com/DO=1/CD=1 > again and it gets the same answer (from thout DNSSEC records) the > CD=1 cache and again fails. Rince, lather, repeat. > > Now if the stub asks for www.example.com/DO=1/CD=0 the validating > resolver will reject any answers from P and only pass on answers > from D (with DNSSEC record) which should then validate. > So, this is a validating resolver, sets CD=0 (ignoring what is said in RFC 4035), gets the "proper" responses, ignores the AD bit, validates the responses. Is this discussed in any document ? > Now if the recursive server doesn't validate or it validates as > insecure you are left with first senario hoping that you are getting > answers from the DNSSEC aware authoritative server. > > What would help would be a EDNS option to send to the recursive > server the closest trust anchor(s) and current time so that it can > validate responses in a consistant manner to the stub resolver. > This seems complex to me. Perhaps, the operational document should say that a dnssec signed zone should be served only by dnssec aware authoritative servers. If there is still an operational error, the validating resolver should just give up. For example, if i set DO=1/CD=1 and there are no RRSIGS, then abort and declare insecure. -mohan > Mark > >> If there was spoofing or other problems, it can find out itself. >> It is much easier to set CD=1 always. >> >> -mohan > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wilmer van der Gaast
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Aki Tuomi
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Olaf Kolkman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Robert Edmonds
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Jakob Schlyter
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Patrik Fältström
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Colm MacCárthaigh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Wouters
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Nicholas Weaver
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Hoffman
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Wessels, Duane
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ted Hardie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Alex Bligh
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Måns Nilsson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Tony Finch
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mohan Parthasarathy
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Paul Vixie
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Ray Bellis
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Brian Dickson
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Mark Andrews
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Masataka Ohta
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt David Conrad
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt bmanning
- Re: [dnsext] draft-mohan-dns-query-xml-00.txt Michael Sheldon
- [dnsext] Related to section 5.1 of dnssec-bis-upd… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Olafur Gudmundsson
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mohan Parthasarathy
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Samuel Weiler
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews
- Re: [dnsext] Related to section 5.1 of dnssec-bis… W.C.A. Wijngaards
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Edward Lewis
- Re: [dnsext] Related to section 5.1 of dnssec-bis… Mark Andrews