IETF Logo Mail Archive

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 15 December 2016 09:03 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6F2129C85 for <dns-privacy@ietfa.amsl.com>; Thu, 15 Dec 2016 01:03:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axDhDbPUUWEB for <dns-privacy@ietfa.amsl.com>; Thu, 15 Dec 2016 01:03:14 -0800 (PST)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C01A129C78 for <dns-privacy@ietf.org>; Thu, 15 Dec 2016 01:03:09 -0800 (PST)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id F392A31D52; Thu, 15 Dec 2016 10:03:06 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id 0762E190907; Thu, 15 Dec 2016 09:59:43 +0100 (CET)
Date: Thu, 15 Dec 2016 09:59:43 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Shane Kerr <shane@time-travellers.org>
Message-ID: <20161215085943.GB4348@sources.org>
References: <20161213105936.opaqw6hwwkx3txk2@nic.fr> <20161213154625.6b314fe6@pallas.home.time-travellers.org> <20161213154133.prn6h7rdwk7md5aj@nic.fr> <20161214121817.2e4476c5@pallas.home.time-travellers.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20161214121817.2e4476c5@pallas.home.time-travellers.org>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 8.6
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/5en_UhWyD5NtwlBFtA8gmQt-3vg>
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] [Step 2] More discussion needed: state your opinion
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 09:03:20 -0000

On Wed, Dec 14, 2016 at 12:18:17PM +0100,
 Shane Kerr <shane@time-travellers.org> wrote 
 a message of 87 lines which said:

> So basically you are advocating a model where meta-data
> (specifically lookups of NS records and their associated A/AAAA
> records) is public and other data is private?

Not at all. I'm suggesting (see the algorithm in
<https://tools.ietf.org/html/draft-bortzmeyer-dprive-step-2-04#section-3.2>
to switch to opportunistic mode (encrypt but do not try to
authenticate) when retrieving the DANE material. As soon as you get
enough information to authenticate, you go back to strict mode.

This is similar to what is suggested in
<https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-07#section-8.2.1>

v2.23.0 | Report a Bug | By Email