Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
神明達哉 <jinmei@wide.ad.jp> Wed, 20 August 2014 15:44 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930101A03CF for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 08:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRdRozBHB_zs for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 08:44:34 -0700 (PDT)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E07E1A06A8 for <dns-privacy@ietf.org>; Wed, 20 Aug 2014 08:44:34 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id u56so8045901wes.28 for <dns-privacy@ietf.org>; Wed, 20 Aug 2014 08:44:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=WpTmjL/A0rZ3hdxzW2H+ZeQ7LIyglL+V3rv7JuE5uUA=; b=XchTz/ayG2DRKg7FbGkALIXv1c/xjbjaLWwCo0vkPo4+kjjA05+FO9G3ZOxT37rsUr gKw2r9p3xC5iQgY6aFb7k/OqUTLoy2YzBM07cyK/ezoc8RmeQzw1apcfUwQ0sMoSPhZC ZwLIHL4lEyRbm0UZ3vsuCySPCGP3cGhCY/hiQU53xbjmSuvBGwWxe9360ywSbz5QhU6a Hi8WlvKjAox4n4179Z4FIFMYqz/F6dAZdkxR6F3Qp2Gy2BbQKO8NjM7nKizNyyun0uht DGazgMq1LmQ3U2bXDBd3ATTD4ijxEbO/6wC679SyPt6FTo2eZs9SuGu58HyCeqN3lcLQ 9z7g==
MIME-Version: 1.0
X-Received: by 10.181.13.116 with SMTP id ex20mr16210560wid.31.1408549471956; Wed, 20 Aug 2014 08:44:31 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.123.164 with HTTP; Wed, 20 Aug 2014 08:44:31 -0700 (PDT)
In-Reply-To: <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <CAJE_bqeoUx2gFsnVgZYfoWASkHaMgKW4tR552YRmQ4ZNzH1M=g@mail.gmail.com> <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
Date: Wed, 20 Aug 2014 08:44:31 -0700
X-Google-Sender-Auth: XWbS-16YNJAc0dwTENbDpjzo5As
Message-ID: <CAJE_bqeWOM6B2OHQa_TybbDAyBLCkc=vsSscx-fToY06o0qq9w@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/4vYn_u2Lv0althpB0sYVrXhUogY
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 15:44:35 -0000
At Tue, 19 Aug 2014 11:32:54 -0700, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > > Is this "security-oblivious stub" the concept defined in RFC 4033? > > If so, I think it's helpful to refer to the RFC explicitly. And, > > even if so, I'm not sure how the "security-oblivious"ness > > matters in this context. Some more explanation might be needed. > > This was just a leftover from a pre-draft when I was trying to deal with passing validation responses from resolver as well. It should simply have read "A stub resolver MAY..." Ah, okay. > > - Section 2.2 > > > > A stub resolver cannot tell whether it is sending queries to a > > recursive resolver or to a DNS forwarder. Therefore, a DNS forwarder > > that acts as a TLS server for DNS requests MUST also act as a TLS > > client for queries to its upstream recursive resolvers. > > > > I wonder this 'MUST' may be too strong [...] > Good catch. Proposed replacement to handle the case where the recursive resolver doesn't do TLS: > > A stub resolver cannot tell whether it is sending queries to a > recursive resolver or to a DNS forwarder. Therefore, a DNS forwarder > that acts as a TLS server for DNS requests MUST also attempt to act as a TLS > client for queries to its upstream recursive resolvers, but MAY > use the normal DNS protocol on port 53 if an upstream recursive > resolver does set up a TLS session. This works for me (I realize there's a followup discussion regarding the possibility of downgrade attacks, on which I don't have a strong opinion yet). > > - General: perhaps related to the above points, I wonder what the stub > > resolver should do if it finds the recursive server(s) don't support > > the TLS extension. It's probably just another policy matter (it can > > simply give up or live with resolution without encryption, etc), but > > I think it's worth noting explicitly. > > Sure, let's be explicit. Proposed addition to the policy section: > > If a recursive resolver does not respond on port 443 or set up a TLS session, the stub resolver MAY use the normal DNS protocol on port 53. Works for me, too. -- JINMEI, Tatuya
- [dns-privacy] New draft on encrypting the stub-to… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Joe Abley
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Carsten Strotmann
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Carsten Strotmann
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Stephane Bortzmeyer
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- [dns-privacy] draft-hoffman-dns-tls-stub-01 posted Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… David Ulevitch
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Mark Andrews
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… John Heidemann
- Re: [dns-privacy] New draft on encrypting the stu… Phillip Hallam-Baker