[DNSOP] Data model and field names for DNS in JSON or XML
I have a project where DNS data must be transported in Web-friendly environments, which mean encoded in JSON or XML. I'm not asking IETF to normalize DNS-in-XML or DNS-in-JSON :-) I will define my format and the field names, but I hope to save time by reusing analogue work. I'm aware of draft-mohan-dns-query-xml, which partially solves my problem (except I would like the RDATA to be structured as well, not a blob of hexadecimal data). Anything for JSON? ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Data model and field names for DNS in JSON or XML
On 1/18/2012 7:06 PM, W.C.A. Wijngaards wrote: this sounds very cool; is there an internet draft or tech note describing the protocol so that others may also implement this? It exists to bypass deep inspection firewalls, and it works. The plain DNS format as you would use over TCP, but then on an SSL connection, so its encrypted by SSLv3. Uses port number 443 (the https port, no other use of that protocol, but then, because of SSL the firewall should not be able to tell). alas, DPI can tell the difference between HTTPS and TLS in a TCP/443 stream. (the Tor guys told me this.) The SSL-certificates are there to make the SSL connection look legit to the firewall. The DNSSEC inside the DNS wireformat provides authentication. There could be a technote or draft for it, but really: TCP-style-DNS inside SSL for transport. That should tell enough for an implementation? it's not enough. in particular, the order in which it's probed (compared to EDNS0 UDP, EDNS0 TCP, old style UDP, old style TCP) should be specified. the NS RRset gives no hint of the name server's capabilities. and the IETF definition of interoperable depends not just on independent implementations being able to talk to each other, but independent implementations both based on the same specification that can also talk to each other. signature.asc Description: OpenPGP digital signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Data model and field names for DNS in JSON or XML
On Jan 18, 2012, at 11:14 AM, Paul Vixie wrote: On 1/18/2012 7:06 PM, W.C.A. Wijngaards wrote: this sounds very cool; is there an internet draft or tech note describing the protocol so that others may also implement this? It exists to bypass deep inspection firewalls, and it works. The plain DNS format as you would use over TCP, but then on an SSL connection, so its encrypted by SSLv3. Uses port number 443 (the https port, no other use of that protocol, but then, because of SSL the firewall should not be able to tell). alas, DPI can tell the difference between HTTPS and TLS in a TCP/443 stream. (the Tor guys told me this.) However, a DNS query over 443 CAN be made to look fully like HTTPS for the purpose of traffic analysis, since the query can easily be constructed in a URL with the results returned as an XML or JSON blob. An active adversary could probe the server and check, but the point is probably to evade ignorant adversaries (misconfigurations), not active censorship. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Data model and field names for DNS in JSON or XML
On Wed, Jan 18, 2012 at 07:14:27PM +, Paul Vixie p...@redbarn.org wrote a message of 74 lines which said: in particular, the order in which it's probed (compared to EDNS0 UDP, EDNS0 TCP, old style UDP, old style TCP) should be specified. the NS RRset gives no hint of the name server's capabilities. As far as I know, it is not intended to be probed, Unbound does not attempt to use this feature with regular zone servers. It is supposed to be a fixed forwarder that you know and trust, specified in the configuration file (or via unbound-control), to tunnel DNS requests outside of China/EvilCorporationWithFirewall/France. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Data model and field names for DNS in JSON or XML
On 18 Jan 2012, at 19:41, Stephane Bortzmeyer wrote: On Wed, Jan 18, 2012 at 07:14:27PM +, Paul Vixie p...@redbarn.org wrote a message of 74 lines which said: in particular, the order in which it's probed (compared to EDNS0 UDP, EDNS0 TCP, old style UDP, old style TCP) should be specified. the NS RRset gives no hint of the name server's capabilities. As far as I know, it is not intended to be probed, Unbound does not attempt to use this feature with regular zone servers. It is supposed to be a fixed forwarder that you know and trust, specified in the configuration file (or via unbound-control), to tunnel DNS requests outside of China/EvilCorporationWithFirewall/France. To which I reply: Hi Stephane, folks, ... and, with today's SOPA/PIPA froth, outside of the US? Pity -- I had hoped that this was using the dns: URL and an XML format had been defined for the response. [probe would be, I guess do the usual, and if that doesn't work, try port 443 and a dns: URL (or try that first, then ...)] sigh. all the best, Lawrence ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
