Re: [dns-privacy] New Version Notification for draft-zatda-dprive-xfr-using-dso-00.txt
Sara Dickinson <sara@sinodun.com> Wed, 10 July 2019 12:57 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70FB12013E for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jul 2019 05:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOhYDXj-beuO for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jul 2019 05:57:09 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE85120137 for <dns-privacy@ietf.org>; Wed, 10 Jul 2019 05:57:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=Q9mAybny3647iXW+W3bbQbfGm9S8XiATRdfu+xrfNwI=; b=FvWpFh1CioFCGWqTus8EccMdSM EooPyLc/XH/JrdL/9dCPO4PKVdYTlO/hHMhwbHJJ7+pcxG5H8tODkxhmWwz12CH2+y4uJr2jvz8wJ TXh47ctkcBJTInV1D1jZlRUJejTRyzEFsmLz0ee1MTQ4jBvDCI1khEKjeZDraLN/ruwr/msDtWvkm 4pkKDzjvb6VaFFl50CQc3u94wltu8p+1Qut4Plvi3Ul/H3uWAr7JXGU+ZSQFdsS5R5MyXoHM01AiC dqT3rPFSTg57tjtGIf6d8rJT/D2oE3gRzTOlPFBY4pcVFO5qg6OIcUUnacYgNiXsMvQrqG8C8iWbz Ef3hrgxA==;
Received: from [2001:b98:204:102:fffa::41e7] (port=52806) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <sara@sinodun.com>) id 1hlC9e-0001od-UZ; Wed, 10 Jul 2019 13:57:07 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <067DCFB0-2549-4C0F-BE84-CEE85D32F5A8@bangj.com>
Date: Wed, 10 Jul 2019 13:56:58 +0100
Cc: dns-privacy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8C85482B-6409-4477-A8EF-275BA89AB952@sinodun.com>
References: <156260792242.808.508025353392512987.idtracker@ietfa.amsl.com> <E2CC956E-C409-46CC-881A-0C9D900C6EFC@sinodun.com> <067DCFB0-2549-4C0F-BE84-CEE85D32F5A8@bangj.com>
To: Tom Pusateri <pusateri@bangj.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6G7KYs_nf7W_iYNvS_EaN_oUICw>
Subject: Re: [dns-privacy] New Version Notification for draft-zatda-dprive-xfr-using-dso-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 12:57:12 -0000
> On 9 Jul 2019, at 23:29, Tom Pusateri <pusateri@bangj.com> wrote: > > This is a great use of DSO and pub/sub. I support this work and I like the new acronym XuD in the spirit of DoT and DoH, etc. Hi Tom, Thanks for the feedback > > Some minor comments: > > In the Abstract is NOTITY/SOA instead of NOTIFY/SOA. > > In the Terminology section, XuD is defined using DOS instead of DSO. Both fixed in the next version - thanks. > > In the Overview, you mention clients should only subscribe for zones they are authorised to transfer. This needs a little more context. Who authorises a client? How does a client know it is authorised? Yes - this does need more context. Perhaps it is better phrased that ’secondaries should only create XuD subscriptions on connections to severs that are expliclty configured as primaries for the zone in question’? This makes it independent of the authentication model. > > In 7.1, in a note, you mention TSIG can be used by the client to demonstrate that it is authorised so maybe this is what is meant earlier in the overview but it should be more explicit but also, it would be neat if SIG(0) certificate verification could be used for authorisation as well to obviate the need for out of band secret exchange. There is a full discussion of authentication methods in the 'DNS Zone Transfer-over-TLS’ (https://datatracker.ietf.org/doc/draft-hzpa-dprive-xfr-over-tls/) which is reference here but not reproduced. But a discussion of SIG(0) should be added there…. > > In 7.1.1.1, there is mention of efficiently packing stream data into TCP segments. This is also in the PUSH draft but I think it should be removed from there and from here as well because once the data is encoded in a TLS session, it’s much more difficult for the sender to have control over the size of TCP segments sent. I’ve actually had a couple of off list discussions that propose the TCP use case for this is a valid one and we should make TLS optional, in which case this should probably stay in this draft with that qualification? (I know PUSH requires TLS). > > In 7.3.1, you ask the question if the equivalent of a RECONFIRM message is needed. The answer is no. This is specific to the way service discovery currently works and it is not applicable in the XFR case. Thanks for that - I couldn’t see the use case for zone transfer. There are other cases of needing to ‘reset' the transfer in various ways which we’ll try to address in the next version. Thanks Sara. > > Thanks, > Tom > >> On Jul 9, 2019, at 5:03 AM, Sara Dickinson <sara@sinodun.com> wrote: >> >> Hi All, >> >> A new draft has been submitted that outlines the basics of a DSO based mechanism for zone transfers requiring TLS. >> >> There is much more work to do on the details and potentially additional messaging to define but hopefully this includes information to get some initial feedback on this proposal. >> >> Best regards >> >> Sara. >> >>> On 8 Jul 2019, at 18:45, internet-drafts@ietf.org wrote: >>> >>> >>> A new version of I-D, draft-zatda-dprive-xfr-using-dso-00.txt >>> has been successfully submitted by Sara Dickinson and posted to the >>> IETF repository. >>> >>> Name: draft-zatda-dprive-xfr-using-dso >>> Revision: 00 >>> Title: DNS Zone Transfer using DNS Stateful Operations >>> Document date: 2019-07-08 >>> Group: Individual Submission >>> Pages: 21 >>> URL: https://www.ietf.org/internet-drafts/draft-zatda-dprive-xfr-using-dso-00.txt >>> Status: https://datatracker.ietf.org/doc/draft-zatda-dprive-xfr-using-dso/ >>> Htmlized: https://tools.ietf.org/html/draft-zatda-dprive-xfr-using-dso-00 >>> Htmlized: https://datatracker.ietf.org/doc/html/draft-zatda-dprive-xfr-using-dso >>> >>> >>> Abstract: >>> DNS zone transfers are transmitted in clear text, which gives >>> attackers the opportunity to collect the content of a zone by >>> eavesdropping on network connections. This document specifies use of >>> DNS Stateful Operations to enable a subscribe/publish mechanism for >>> zone transfers reducing the over head introduced by NOTITY/SOA >>> interactions prior to zone transfer request. This additionally >>> prevents zone contents collection via passive monitoring of zone >>> transfers by restricting XFR using DSO to require TLS. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >
- Re: [dns-privacy] New Version Notification for dr… Sara Dickinson
- Re: [dns-privacy] New Version Notification for dr… Tom Pusateri
- Re: [dns-privacy] New Version Notification for dr… Sara Dickinson
- Re: [dns-privacy] New Version Notification for dr… Tony Finch
- Re: [dns-privacy] New Version Notification for dr… Matthijs Mekking