Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Nicholas Weaver <nweaver@icsi.berkeley.edu> Wed, 28 September 2011 21:13 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89EF221F8DD2; Wed, 28 Sep 2011 14:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317244406; bh=If4tLHEQCZ/NRFzaPCZAK/A85EkmeV64BPCEqu2DFTg=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=g72E/CUV8UgrAKE2pjGAy9htvODWYz0OX1G+1KY6q155Vr4AAUxC1WksVxF71bhWV Ud/zwsgKFNUt0BiAVEzfhFJsRbP3T0p+yh1GEDpw46gBmvareN90jn9KBrN0d7GHoB TkTpLEvpHOFMqVWToPT8CfiEwKDrOU+8GkJawpZ0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6023B21F8DD2 for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 14:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=0.450, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16FxKyAkq+pZ for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 14:13:24 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4442A21F8DCF for <dnsext@ietf.org>; Wed, 28 Sep 2011 14:13:22 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0C0FE2C4004; Wed, 28 Sep 2011 14:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5HWrscwO1h6m; Wed, 28 Sep 2011 14:16:10 -0700 (PDT)
Received: from [10.0.1.2] (c-76-103-166-40.hsd1.ca.comcast.net [76.103.166.40]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 9F5F12C4002; Wed, 28 Sep 2011 14:16:10 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <CACU5sDk-2NeWgp-MBt1O0=MoP1mnH5UgWY1PuYK_YyJTpJ256Q@mail.gmail.com>
Date: Wed, 28 Sep 2011 14:16:09 -0700
Message-Id: <71422E92-1832-4703-98F4-62FB839A5235@icsi.berkeley.edu>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <alpine.LFD.1.10.1109281525430.25654@newtla.xelerance.com> <CACU5sDk-2NeWgp-MBt1O0=MoP1mnH5UgWY1PuYK_YyJTpJ256Q@mail.gmail.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Sep 28, 2011, at 2:07 PM, Mohan Parthasarathy wrote:
> If I want to be able to run both my web service and DNS service from
> the same address, then I can't just run DNS alone over 80/443.

Have you looked at just running normal DNS recursively from the end host, including failover to TCP when things are obviously breaking?

We don't have ALL the information yet (our test is not comprehensive enough), but most systems CAN do direct fetches on UDP or TCP if they must: non-functioning recursive resolvers should not be a problem for DNSSEC validation.

In fact, for the purposes of A records, etc, just the recursive request from the end host is enough to be "close enough" to the security effect you would get from full DNSSEC validation.  (DANE or the like, where DNSSEC is used to validate key material not host->IP mappings, requires end-host validation)

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext