Re: [dnsext] draft-bellis-dnsext-dnsproxy-00
Wouter Wijngaards <wouter@NLnetLabs.nl> Tue, 04 November 2008 08:31 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE5733A68D8; Tue, 4 Nov 2008 00:31:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulmPD8oeyTeJ; Tue, 4 Nov 2008 00:31:08 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A6BBD3A6931; Tue, 4 Nov 2008 00:30:47 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KxHCN-0004VB-M5 for namedroppers-data@psg.com; Tue, 04 Nov 2008 08:23:39 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1KxHCG-0004UE-Pe for namedroppers@ops.ietf.org; Tue, 04 Nov 2008 08:23:35 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id mA48NPpj056412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Nov 2008 09:23:26 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4910067D.6070606@nlnetlabs.nl>
Date: Tue, 04 Nov 2008 09:23:25 +0100
From: Wouter Wijngaards <wouter@NLnetLabs.nl>
User-Agent: Thunderbird 2.0.0.16 (X11/20080723)
MIME-Version: 1.0
To: Ray.Bellis@nominet.org.uk
CC: Florian Weimer <fw@deneb.enyo.de>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-bellis-dnsext-dnsproxy-00
References: <OF7E3816AF.C6D6EB41-ON802574F6.0076B6C3-802574F6.0077AF4E@nominet.org.uk>
In-Reply-To: <OF7E3816AF.C6D6EB41-ON802574F6.0076B6C3-802574F6.0077AF4E@nominet.org.uk>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Tue, 04 Nov 2008 09:23:26 +0100 (CET)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ray.Bellis@nominet.org.uk wrote: > Forward pointing ones certainly are: ok > A pointer that links to somewhere other than the start of another label > isn't (AFAIK) expressly prohibited. However I can't imagine why any > "real" upstream resolver would ever produce one for legitimate reasons. I > am aware of certain research of the use of this technique to reduce the > size of packets needed for cache-poisoning attacks, since smaller packets > implies greater attack efficiency. Well, it could certainly be useful for compression of DNSSEC packets. I have not tried to do so for interoperability reasons. But, for DNSSEC packets the RRSIG rdata cannot be compressed, but if put in the packet first, it can be used to compress *to*. Could you refrain from making this impossible? The draft is about stubs anyway, just leave out 'at the start of another label'. I would also leave out the backpointing requirement. I would rather not have my firewall check to make sure compression pointers point back. >> This raises the question of trailing garbage in the UDP packet. For >> interoperability reasons, I think this has to be accepted. > > Interesting... in my earlier research we were more concerned with missing > data, and never noticed extraneous data. Is this a common occurrence? Yes. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkQBn0ACgkQkDLqNwOhpPichQCeOeTgc0M6eqKbEZPcQZkiq2WY 30sAoJZNXTLSdpe0FWIH4E4vJUQHODHt =jc/q -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] draft-bellis-dnsext-dnsproxy-00 Ray.Bellis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Ray.Bellis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 bert hubert
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Ray.Bellis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 bert hubert
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Olafur Gudmundsson
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Florian Weimer
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Nicholas Weaver
- RE: [dnsext] draft-bellis-dnsext-dnsproxy-00 Dan Wing
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Ray.Bellis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Wouter Wijngaards
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Ray.Bellis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Edward Lewis
- Re: [dnsext] draft-bellis-dnsext-dnsproxy-00 Florian Weimer