Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Ted Hardie <ted.ietf@gmail.com> Thu, 29 September 2011 16:28 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4F0A21F8E42; Thu, 29 Sep 2011 09:28:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317313721; bh=Gn7oWSYV1w2YiDp8CJCPzO2aQ8eK2xqEoSazEWRwSqg=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=CD4MuYcUlTVubBdQBX41uxeNSqpw6MEBSkRnwjiIwLZL0DLXpXeKbcI7yxCn1ND3t 1iKOojY4jr1jZw+RJfCh83wldCC4nadaQjnss5uYbAQcA3gLwG3kGcVBDYOvS/Ozhd n7u+Fu6Jp9bTgUAXaLcpxBnYtJSrg1Ko9hu57Pco=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C5E21F8E42 for <dnsext@ietfa.amsl.com>; Thu, 29 Sep 2011 09:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.208
X-Spam-Level:
X-Spam-Status: No, score=-3.208 tagged_above=-999 required=5 tests=[AWL=-0.210, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZb9DsCxTBGq for <dnsext@ietfa.amsl.com>; Thu, 29 Sep 2011 09:28:39 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 37AF121F8CBB for <dnsext@ietf.org>; Thu, 29 Sep 2011 09:28:39 -0700 (PDT)
Received: by ywa6 with SMTP id 6so879567ywa.31 for <dnsext@ietf.org>; Thu, 29 Sep 2011 09:31:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GuA0nLPLExOD/1UvwGaX9K5OGCGbyzuqDquZZ4iwEJc=; b=hUIenQHVIKfINWod6LnbCwQs7UAoT3KPlVN8zrc0W6XZbSr9ReOmIaLfFoSEnMeFM9 Pu9cXhnBIy1HeYXMtT7p/wcm/ZPREnU7Bz8WRa2nEo74Fsj9zGOk6HgFbRlDJB2dpTQJ MvLIYwsJmpKVsKhIpithXH/MTgGN0TZnHyqR8=
MIME-Version: 1.0
Received: by 10.236.191.71 with SMTP id f47mr64997839yhn.125.1317313890553; Thu, 29 Sep 2011 09:31:30 -0700 (PDT)
Received: by 10.236.105.169 with HTTP; Thu, 29 Sep 2011 09:31:30 -0700 (PDT)
In-Reply-To: <CACU5sDnRBuKGNvnjOeV9J9W1sMpL8TAx=RK+_mLbgngqtoPL_g@mail.gmail.com>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <CA+9kkMAozdS=F8FF5SRz0gTCfz7nXch578ZtU7pi25NYwB=8-Q@mail.gmail.com> <CACU5sDnRBuKGNvnjOeV9J9W1sMpL8TAx=RK+_mLbgngqtoPL_g@mail.gmail.com>
Date: Thu, 29 Sep 2011 09:31:30 -0700
Message-ID: <CA+9kkMCzePsRwz1+MFUvJexXBwVA2p1Q+kSm_3ZeGd-MPZ5zLQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1790056877086149561=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, Sep 28, 2011 at 2:49 PM, Mohan Parthasarathy <suruti94@gmail.com>wrote;wrote:

> On Wed, Sep 28, 2011 at 2:06 PM, Ted Hardie <ted.ietf@gmail.com> wrote:
> > Howdy,
> >
> > I have a few questions on this proposal.
> >
> > Why not re-use the syntax of RFC4501 for the query?  That is:
> >
> https://relayingwebserver.example.com/query.cgi?dns:[//authority/]domain[?CLASS=class;TYPE=type]
> > ?
> >
> We should definitely study that for the next revision. We need to be
> able to specify more than what is given in RFC 4501. Is that
> extensible ?
>
>
What kind of extension do you need, the validation bit?

It likely is extensible if there is need, provided the existing strings
remain valid.  At worst, you'd need to mint a new URI.  If you go down that
road, though, I would suggest simply minting a URI for dns.https, where the
authority is the webserver you are querying and the path is the
domain[?CLASS=class;Type=Type;CD=1].  That makes https a "transport" for
DNS, rather than seeing this as a relayed service.  To me, it also suggests
you continue to use the DNS binary representations, since the results will
get fed to a local DNS subsystem.  With either XML or JSON, you're going
through a double translation (once on the relaying server and once in the
local subsystem pushing it to the DNS), and that seems more likely to
introduce error than to get you much benefit.




> > Declaring a namespace for the xml is generally good practice.  It's also
> not
> > clear why you need an XML-based representation, rather than using a
> > mime-type like that set out in RFC 4027 (which uses detached domain name
> > information as set out in RFC 2540).  Even if those need updating, it's
> not
> > clear to me what you're gaining with the use of XML here.
> >
>
> We chose XML because it is readily available and also better
> inter-operability.
>
>
As others have noted, XML parsers are common--but the interpretation of the
XML in any particular namespace has to develop interoperability on its own.


> > It seems like you're wanting this to be used when CD bit is set to 1; any
> > reason why you'd want to support this for CD bit set to 0?
> > In general, I think a little bit more wording on when this tunneling
> would
> > be used would be really useful to flesh out when this is needed.
> >
> Yes, the main use case is DNSSEC. Does it make sense to restrict to just
> that ?
>
>
The advantage is really that you can tailor the return data parsers to throw
out anything that doesn't include the required DNSSEC bits.  As it is,
you're going to move from one set of issues (poor caching resolvers) to
another:  HTTP interception proxies.  Those are often not known to the end
host and their behavior is, at best, "interesting".  Mandating the use of
HTTPS will help some, but there is going to be an increased risk of HTTP
cache poisoning having an impact on the DNS if you use this--without DNSSEC,
that attack vector seems to me personally pretty bad.

regards,

Ted


> > NIT: You cite RFC 2396, but the current reference is RFC 3986
> >
> Will fix that.
>
> thanks
> mohan
>
> > regards,
> >
> > Ted Hardie
> >
> >
> > On Wed, Sep 28, 2011 at 11:24 AM, Mohan Parthasarathy <
> suruti94@gmail.com>
> > wrote:
> >>
> >> Hi,
> >>
> >> DNSSEC validation is stub resolver is dependent on DNSSEC-aware CPEs,
> >> recursive servers etc. Here is a draft that we submitted yesterday to
> >> address this problem.
> >>
> >> http://www.ietf.org/id/draft-mohan-dns-query-xml-00.txt
> >>
> >> Please send your comments/feedback to the list.
> >>
> >> thanks
> >> -mohan
> >> _______________________________________________
> >> dnsext mailing list
> >> dnsext@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsext
> >
> >
>
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext