IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Mark Andrews <marka@isc.org> Tue, 04 October 2011 02:52 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3DD221F8CE9; Mon, 3 Oct 2011 19:52:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317696744; bh=bFNCxIf3rtLRnZeY+K1BCHIRtDZXDchFTJeMKVGu82Y=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=K9d3CZG7HD+xgRJV28VXKGZK93P6uuQFU8xVpGmRaFA29z4ITg3WqozEdCIcJsuu7 hJ5eKetvdhuWQyWgAN1/xRG24VBD5VFvBk/hraC3ZKvWtzx15T0i77sQLRUKznjX/9 T561DULET9LGcJQVwTl6Wu6SaMMRo3T67gDfdEwE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C96121F8CDC for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 19:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_LIST=2.3, MANGLED_WANT=2.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+fGhs29jQ6c for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 19:52:22 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2A21921F8C70 for <dnsext@ietf.org>; Mon, 3 Oct 2011 19:52:22 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id BCC325F98E9; Tue, 4 Oct 2011 02:55:10 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 75865216C56; Tue, 4 Oct 2011 02:55:07 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 504DD14924EC; Tue, 4 Oct 2011 13:55:02 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com> <20111004001547.7ED7C149063F@drugs.dv.isc.org> <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
In-reply-to: Your message of "Mon, 03 Oct 2011 19:35:56 PDT." <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
Date: Tue, 04 Oct 2011 13:55:02 +1100
Message-Id: <20111004025502.504DD14924EC@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
, Mohan Parthasarathy writes:
> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote:
> >
> > In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmai=
> l.com>, Mohan Parthasarathy writes:
> >> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> >> > On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> =
> wro=3D
> >> te:
> >> >>
> >> >> +1. The slight increase in programming difficulty of using POST vs. G=
> ET
> >> >> buys you a huge amount of flexibility in queries. It's not just about
> >> >> cache-prevention.
> >> >>
> >> >
> >> > All silver linings have their clouds...=3DA0 The only unfortunate thin=
> g abo=3D
> >> ut
> >> > POST, in my view, is that the flexibility can trend you away from
> >> > interoperability as people add and change things at=3DA0 different=3DA=
> 0 speed=3D
> >> s at
> >> > different hosts.=3DA0 If you want standard behavior the descending lis=
> t goe=3D
> >> s:
> >> > New Method, GET, POST, at least in my view.
> >> >
> >> > Since new methods are notoriously hard to get deployed, POST seems lik=
> e t=3D
> >> he
> >> > best choice if you want something that can handle any DNS operation.=
> =3DA0 I=3D
> >> f it
> >> > is meant to be only retrieval, then I would personally say that keepin=
> g it
> >> > within GET is the best choice.
> >> >
> >> > I'm also increasingly of the opinion that this should have the validat=
> ion
> >> > bits sets by default.=3DA0 Allowing a web site to update the local DNS=
>  cach=3D
> >> e for
> >> > a client system by including a reference and a DNS result for the refe=
> ren=3D
> >> ce
> >> > causes my paranoia to ratchet up a few notches.=3DA0 The only other de=
> fense
> >> > against it I see is using Web results only in same-origin web contexts=
> , a=3D
> >> nd
> >> > that's going to be very hard to make work.
> >> >
> >>
> >> I am not sure I understand this concern fully. I guess you mean that
> >> you want to use this only with CD =3D3D1 which also implies that you wan=
> t
> >> to use only with DNSSEC . Though this is the primary use case that
> >> this draft is trying to address, should we restrict it ? Previously,
> >> your concern was cache poisoning of the HTTP proxies having an impact
> >> on DNS. If we require HTTPS and POST, is this still a concern ?
> >
> > DO=3D1 implies DNSSEC. =A0Stubs/forwarders SHOULD NOT set CD=3D1. =A0The
> > upstream validator needs to filter out the spoofed responses
> > on behalf of the stub/forwarder.
> >
> > Also it is just a "DNS message". =A0UDP/TCP/HTTP/HTTPS is just the
> > transport for the DNS message.
> >
> 
> If a validating stub resolver can set CD =3D 1 for UDP/TCP why not for
> HTTP or HTTPS ?

A validating stub resolver really doesn't want to set CD=1, by
default.  If it gets SERVFAIL back to a CD=0 query then resending
with CD=1, may help if the SERVFAIL was a validation failure caused
by a bad clock on the recursive server / out of date trust anchors.
A stub resolver *needs* the upstream server to weed out the bogus
responses due to spoofing or, more likely, operational stuff ups
and only pass through those that pass validation.  Remember a stub
resolver does not have access to multiple authoritative sources,
only the recursive server does.  If you are willing to bet that
every response you get back is good then always set CD=1 otherwise
CD=1 should only be set if the CD=0 lookup fails.

> -mohan
> 
> >> -mohan
> >>
> >> > Ted
> >> >
> >> > _______________________________________________
> >> > dnsext mailing list
> >> > dnsext@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/dnsext
> >> >
> >> >
> >> _______________________________________________
> >> dnsext mailing list
> >> dnsext@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsext
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@is=
> c.org
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email