IETF Logo Mail Archive

Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

神明達哉 <jinmei@wide.ad.jp> Wed, 20 August 2014 15:44 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930101A03CF for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 08:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRdRozBHB_zs for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 08:44:34 -0700 (PDT)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E07E1A06A8 for <dns-privacy@ietf.org>; Wed, 20 Aug 2014 08:44:34 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id u56so8045901wes.28 for <dns-privacy@ietf.org>; Wed, 20 Aug 2014 08:44:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=WpTmjL/A0rZ3hdxzW2H+ZeQ7LIyglL+V3rv7JuE5uUA=; b=XchTz/ayG2DRKg7FbGkALIXv1c/xjbjaLWwCo0vkPo4+kjjA05+FO9G3ZOxT37rsUr gKw2r9p3xC5iQgY6aFb7k/OqUTLoy2YzBM07cyK/ezoc8RmeQzw1apcfUwQ0sMoSPhZC ZwLIHL4lEyRbm0UZ3vsuCySPCGP3cGhCY/hiQU53xbjmSuvBGwWxe9360ywSbz5QhU6a Hi8WlvKjAox4n4179Z4FIFMYqz/F6dAZdkxR6F3Qp2Gy2BbQKO8NjM7nKizNyyun0uht DGazgMq1LmQ3U2bXDBd3ATTD4ijxEbO/6wC679SyPt6FTo2eZs9SuGu58HyCeqN3lcLQ 9z7g==
MIME-Version: 1.0
X-Received: by 10.181.13.116 with SMTP id ex20mr16210560wid.31.1408549471956; Wed, 20 Aug 2014 08:44:31 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.123.164 with HTTP; Wed, 20 Aug 2014 08:44:31 -0700 (PDT)
In-Reply-To: <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <CAJE_bqeoUx2gFsnVgZYfoWASkHaMgKW4tR552YRmQ4ZNzH1M=g@mail.gmail.com> <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
Date: Wed, 20 Aug 2014 08:44:31 -0700
X-Google-Sender-Auth: XWbS-16YNJAc0dwTENbDpjzo5As
Message-ID: <CAJE_bqeWOM6B2OHQa_TybbDAyBLCkc=vsSscx-fToY06o0qq9w@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/4vYn_u2Lv0althpB0sYVrXhUogY
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 15:44:35 -0000

At Tue, 19 Aug 2014 11:32:54 -0700,
Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> >  Is this "security-oblivious stub" the concept defined in RFC 4033?
> >  If so, I think it's helpful to refer to the RFC explicitly.  And,
> >  even if so, I'm not sure how the "security-oblivious"ness
> >  matters in this context.  Some more explanation might be needed.
>
> This was just a leftover from a pre-draft when I was trying to deal with passing validation responses from resolver as well. It should simply have read "A stub resolver MAY..."

Ah, okay.

> > - Section 2.2
> >
> >   A stub resolver cannot tell whether it is sending queries to a
> >   recursive resolver or to a DNS forwarder.  Therefore, a DNS forwarder
> >   that acts as a TLS server for DNS requests MUST also act as a TLS
> >   client for queries to its upstream recursive resolvers.
> >
> > I wonder this 'MUST' may be too strong
[...]
> Good catch. Proposed replacement to handle the case where the recursive resolver doesn't do TLS:
>
>   A stub resolver cannot tell whether it is sending queries to a
>   recursive resolver or to a DNS forwarder.  Therefore, a DNS forwarder
>   that acts as a TLS server for DNS requests MUST also attempt to act as a TLS
>   client for queries to its upstream recursive resolvers, but MAY
>   use the normal DNS protocol on port 53 if an upstream recursive
>   resolver does set up a TLS session.

This works for me (I realize there's a followup discussion regarding
the possibility of downgrade attacks, on which I don't have a strong
opinion yet).

> > - General: perhaps related to the above points, I wonder what the stub
> >  resolver should do if it finds the recursive server(s) don't support
> >  the TLS extension.  It's probably just another policy matter (it can
> >  simply give up or live with resolution without encryption, etc), but
> >  I think it's worth noting explicitly.
>
> Sure, let's be explicit. Proposed addition to the policy section:
>
> If a recursive resolver does not respond on port 443 or set up a TLS session, the stub resolver MAY use the normal DNS protocol on port 53.

Works for me, too.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email