IETF Logo Mail Archive

Re: [dnsext] Practically secure DNS

Paul Wouters <paul@xelerance.com> Mon, 24 October 2011 13:45 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 136F821F8DF8; Mon, 24 Oct 2011 06:45:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1319463920; bh=xskqatdkkacF1I8gcrmrFSRhrtNckMV5wIog9lzQ5Vk=; h=Date:From:To:In-Reply-To:Message-ID:References:MIME-Version: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=TLs3bzLKeEAr53g9dUzLdwkOrh/4gge0QWygXTdVsysP9c8YmXm/BMql2o5PzynoP 3e0dRxEJOr1sRs0sXsxHCraPFo6SGO+2RL4pYLbQnahkWdmyav2ysYFQ5SqpF9V2Pq 5truW7VT5/2bgZ+T93egPHZ0ilXk0wXpvfwuIbw8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBC421F8DF8 for <dnsext@ietfa.amsl.com>; Mon, 24 Oct 2011 06:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTZY2FyU8UEq for <dnsext@ietfa.amsl.com>; Mon, 24 Oct 2011 06:45:18 -0700 (PDT)
Received: from mx.xelerance.com (mx.xelerance.com [193.110.157.188]) by ietfa.amsl.com (Postfix) with ESMTP id 67E1F21F8DE4 for <dnsext@ietf.org>; Mon, 24 Oct 2011 06:45:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx.xelerance.com (Postfix) with ESMTP id 2C840528 for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xelerance.com; h= content-type:content-type:mime-version:user-agent:references :message-id:in-reply-to:subject:subject:from:from:date:date :received:received:received:received; s=smtp; t=1319463881; x= 1320068681; bh=BOtmAnvDy4zECvWtNB7ukAIIvQ3lS4cMNbhGg0zPMOA=; b=O aYj2VtyujxGTPxokFRqHGqlYgzMKlApK87qu+OfaPmWB2wd6ILAFAnxadl5VNu8x PXyZkR4EHnDQjztqKnKP1EaTSrUKlAUpXR8Z9d1O/3NJUQNU4MFo2bZC1dIEw+wT DX4DJ8FXKw9FN9tQtTkV9rz66cfjeYMu75La2Ffll8=
Received: from mx.xelerance.com ([127.0.0.1]) by localhost (mx.xelerance.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 0K6slfpZ9Fsc for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:41 -0400 (EDT)
Received: from mail.xelerance.com (mail.xelerance.com [193.110.157.189]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.xelerance.com (Postfix) with ESMTPS id 0E0696B for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:41 -0400 (EDT)
Received: by mail.xelerance.com (Postfix, from userid 1001) id 2373FB13; Mon, 24 Oct 2011 09:44:39 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by mail.xelerance.com (Postfix) with ESMTP id 1DFFB598 for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:39 -0400 (EDT)
Date: Mon, 24 Oct 2011 09:44:39 -0400
From: Paul Wouters <paul@xelerance.com>
To: dnsext@ietf.org
In-Reply-To: <02C8B7BF-7C6F-4BC2-9A40-2EC087895F58@hopcount.ca>
Message-ID: <alpine.DEB.2.00.1110240940230.9077@mail.xelerance.com>
References: <20111009135505.GA85221@shinkuro.com> <20111009213431.4756314E0BDE@drugs.dv.isc.org> <CACU5sD=-pJUVKG1QmwBX9d-MZJp6_AYkXWDxh_CTAXO=x7+Juw@mail.gmail.com> <20111010051725.3A95214E5206@drugs.dv.isc.org> <CACU5sDnd49zbLxqLFOebFfm6UqJ7qZiQuCqY4DeEA4rHiia8GQ@mail.gmail.com> <20111010220027.F1E2614EB649@drugs.dv.isc.org> <4E9C2413.3030000@nlnetlabs.nl> <20111017134650.816981569E8F@drugs.dv.isc.org> <20111017140437.GA7743@shinkuro.com> <20111018014221.C0E871578C86@drugs.dv.isc.org> <20111018040429.GM7743@shinkuro.com> <20111018054252.1EF21157D5EB@drugs.dv.isc.org> <4E9D1FA2.5020608@necom830.hpcl.titech.ac.jp> <4E9D6BAC.7000100@gis.net> <4E9D8459.1030707@necom830.hpcl.titech.ac.jp> <sjm7h42z8p3.fsf@mocana.ihtfp.org> <4E9E140D.8040803@necom830.hpcl.titech.ac.jp> <20111019015410.5AA45158826F@drugs.dv.isc.org> <4E9EDDE3.3050302@necom830.hpcl.titech.ac.jp> <4EA5329D.8050607@necom830.hpcl.titech.ac.jp> <02C8B7BF-7C6F-4BC2-9A40-2EC087895F58@hopcount.ca>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Subject: Re: [dnsext] Practically secure DNS
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

> On 2011-10-24, at 09:40, Masataka Ohta wrote:
>
> 	http://www.ietf.org/id/draft-ohta-practically-secure-dns-00.txt

Isn't all of this already proposed in http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01
and implemented in unbound?

It also totally ignores the fact that if all involved name servers are "secure" (definition unknown) but
the traffic path is not, the "secure" client is still going to take rewritten replies. Eg this draft
does not even handle the "starbucks wifi" scenario or any transparent DNS proxy scenario.

Paul
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email