[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00

Ray,
 
I have read the draft, found no problems other than the missing security considerations
I don't see any particular security considerations ), and fully support it.
 
Did you consider a "referral" model using NS records?
 
LOCAL.ARPA.    9000    NS    A.LOCAL.ARPA.
LOCAL.ARPA.    9000    NS    B.LOCAL.ARPA.
 
A.LOCAL.ARPA.    9000    A    1.2.3.4
B.LOCAL.ARPA.    9000    A    2.3.4.5
 
I think this may be cleaner, it allows multi-homed servers to be properly distinguished
( you shouldn't try an alternate address until other servers have been tried ), and
seems closer to the normal DNS representation of name servers.
 
A simplistic client can still just save all the A records, and ignore the names.
 
This may be significant if the glue types are extended in future to supply other link-local
parameters, for example the DNS transport protocols supported, or a link-local public key.
Although this is not a fully secure way to acquire a local public key, it does raise the bar for
an in-path attacker, and clients could warn users if a link-local public key changes.
 
I also note that using LOCALHOST, or a sub-domain of LOCALHOST, would avoid
non-local queries being sent by servers that are not aware of LOCAL.ARPA. Which
is the most appropriate domain to use I am unable to judge.
 
Regards,
George
 
----- Original Message -----
Sent: Thursday, October 15, 2009 4:00 PM
Subject: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00

I've just submitted the following draft.

--8<--8<--
A new version of I-D, draft-bellis-dns-recursive-discovery-00.txt has been successfuly submitted by Ray Bellis and posted to the IETF repository.

Filename:                  draft-bellis-dns-recursive-discovery
Revision:                  00
Title:                         DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA
Creation_date:                  2009-10-15
WG ID:                           Independent Submission
Number_of_pages:        9

Abstract:
This document describes a method for a DNS client resolver to
discover the IP addresses of the upstream recursive DNS resolvers and
hence bypass the local DNS proxy.  It also directs IANA to reserve
the "LOCAL.ARPA" domain name and to create a registry for well known
sub-domains of that domain name, such sub-domains being reserved for
use within any network's administrative boundary.
--8<--8<--

The draft is available for download at http://tools.ietf.org/html/draft-bellis-dns-recursive-discovery-00

Ray

--
Ray Bellis, MA(Oxon) MIET
Senior Researcher in Advanced Projects, Nominet
e: ray at nominet.org.uk, t: +44 1865 332211

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop