IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Paul Vixie <vixie@isc.org> Sat, 01 October 2011 17:33 UTC

Return-Path: <vixie@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3210D21F907A for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 10:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.5
X-Spam-Level:
X-Spam-Status: No, score=-2.5 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8DYhfq-FnWt for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 10:33:39 -0700 (PDT)
Received: from ss.vix.com (ss.vix.com [IPv6:2001:559:8000:cb::2]) by ietfa.amsl.com (Postfix) with ESMTP id A40AC21F9079 for <dnsext@ietf.org>; Sat, 1 Oct 2011 10:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at redbarn.org
Received: from ww.vix.com (ww.vix.com [IPv6:2001:559:8000:cb:215:17ff:fed4:730a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ss.vix.com (Postfix) with ESMTPS id 517ECEE51C for <dnsext@ietf.org>; Sat, 1 Oct 2011 17:36:28 +0000 (UTC) (envelope-from vixie@isc.org)
From: Paul Vixie <vixie@isc.org>
Organization: Internet Systems Consortium
To: dnsext@ietf.org
Date: Sat, 01 Oct 2011 17:36:27 +0000
User-Agent: KMail/1.13.5 (FreeBSD/8.1-RELEASE; KDE/4.4.5; amd64; ; )
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu>
In-Reply-To: <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201110011736.27664.vixie@isc.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Oct 2011 17:33:40 -0000

On Saturday, October 01, 2011 03:01:33 pm Nicholas Weaver wrote:
> > A side benefit of this is, the UPDATE opcode gets easy.
> 
> Use GET, but if you want it to get through the most busted of web caches,
> do the following:

why "use GET"?  if POST allows us to send a dns message as post-body, which 
could either be a query or an update, then why would we prefer GET?

> And I'd have the return value be JSON rather than raw DNS on the wire. 
> Why?
> 
> Because since the point is validating DNSSEC, the HTTP-server should not
> just return the record asked for, but the whole signature chain that it
> has.  Since this is more information than a normal DNS reply, it might
> benefit from a new encoding.

i've got a draft in production that adds an EDNS option "send chain" where the 
option payload is any ancestor of the QNAME and indicates the requestor's 
deepest validated trusted domain name.  this will solicit a longer trust chain 
(all the RRSIG, DNSKEY, DS RRs) between this ancestor and the QNAME.  it is 
something i'd like for UDP/53 whenever ip fragmentation is working, and 
something i'd like for TCP/53 whenever that's not firewalled out.  it could 
also be used in DNS-over-HTTP, assuming that we allow transmission of full DNS 
messages in both directions (therefore, using POST).

in other words i don't see this as HTTP-specific which is why it's not in this 
draft.

v2.23.0 | Report a Bug | By Email