IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Sun, 02 October 2011 11:45 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010D521F8E77; Sun, 2 Oct 2011 04:45:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317555919; bh=KV903u4OLnYBPMmIr2v90JaxPfKgvrhgTEy1Jj43MSw=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=DWSplEqCIbSbRPvU4sBCmXmxa6VCCnNUBJjB6+t1B2nJiMloZLXsx3MvRNAY8aCRQ ZRjAqv5v+GJtMAFXcJq6xZ2NwXybUEUGOaxMRaX/lMa+YS6L0YQvYAyVVqHd7B3GS4 ykNGPRijWGhuFP8Yjh6MiRpTZSDSYXAJCcVaI6eU=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3AF921F8E80 for <dnsext@ietfa.amsl.com>; Sun, 2 Oct 2011 04:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level:
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Lby4XLcGsj3 for <dnsext@ietfa.amsl.com>; Sun, 2 Oct 2011 04:45:17 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 5503B21F8E77 for <dnsext@ietf.org>; Sun, 2 Oct 2011 04:45:17 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id E6FAF2C4017; Sun, 2 Oct 2011 04:48:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id B8CT-eqBQwdl; Sun, 2 Oct 2011 04:48:16 -0700 (PDT)
Received: from [10.0.1.2] (c-76-103-166-40.hsd1.ca.comcast.net [76.103.166.40]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 7FBB72C4002; Sun, 2 Oct 2011 04:48:16 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <CAH1iCiqjQSr-OHm004xV7Ex+aAswZEzBxaRcL6pNuzU4RgoJjw@mail.gmail.com>
Date: Sun, 2 Oct 2011 04:48:18 -0700
Message-Id: <B8621ACC-BEC9-4B59-BBE3-153A5FA8C9DE@ICSI.Berkeley.EDU>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <0394FB3B-6C2B-4D47-B1FA-AA54B7EB1053@kirei.se> <DDD7529C-9EF3-427F-AF90-2872CCD71ECF@cisco.com> <201110010458.26859.vixie@isc.org> <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu> <5C4E07BC-E6CC-45A6-8018-10C2A799A55E@vpnc.org> <66077D12-F568-426A-8E5C-CC077CC24622@ICSI.Berkeley.EDU> <33BA32D8CFF5BCB5D2895142@nimrod.local> <4C6F86F7-9FFD-4C71-B1A0-4CCD56E48D12@ICSI.Berkeley.EDU> <6F36FE11-36C6-4F56-B6C7-50B9C3705C13@virtualized.org> <CAH1iCiqjQSr-OHm004xV7Ex+aAswZEzBxaRcL6pNuzU4RgoJjw@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Oct 1, 2011, at 6:04 PM, Brian Dickson wrote:

> So, in the case of the middlebox vendors or network administrators not
> reacting to the use of DNS over HTTP(S), problem solved. Otherwise, it
> then becomes baby+bathwater for those trying to block this, based only
> on IP addresses. Name-based HTTP servers that support this (on 80 or
> 443) on shared infrastructure (web hosting etc.), plus popularity of
> use (large numbers of sites and/or well known large sites), including
> phone-home use with client-authentication by HTTPS servers, means
> there will be significant benefit to this, and significant pressure to
> not try to break it (at least in the HTTPS case).

There is actually two cases that this seems to want to address:

a)  The amazingly borken middlebox at a consumer/hotspot.  In this case, DNS over TCP is likely to work (they don't get it), and DNS over TCP on a high port is really likely to work.  

The network is probably not trying to restrict DNS AFTER login anyway.


b)  A corporate network with a vicious firewall.  In this case, well, its less clear that THIS proposal would work if the network administrator doesn't want it to work.  These networks sometimes do proxy HTTPS as well as HTTP, by having an additional certificate installed in the client.

EG, I've seen Netalyzr runs from corporate networks that block EVERYTHING out (and I mean EVERYTHING), routing ALL traffic through HTTP/HTTPS proxies and blocking everything else.


So for a:  (which is mostly ignorant network), having a few global recursive resolvers with high ports is probably sufficient.

For b:  (which is the deliberate corporate network), I don't think this proposal is guarenteed to work.

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email