Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)
joel jaeggli <joelja@bogus.com> Mon, 29 February 2016 21:39 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6B271B3CC5; Mon, 29 Feb 2016 13:39:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayk-a5F9j1yA; Mon, 29 Feb 2016 13:39:58 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409331B3CC4; Mon, 29 Feb 2016 13:39:58 -0800 (PST)
Received: from mb-2.local ([8.18.217.194]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id u1TLdt3K037254 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 29 Feb 2016 21:39:55 GMT (envelope-from joelja@bogus.com)
To: Shane Kerr <shane@time-travellers.org>
References: <20160229195527.11806.46599.idtracker@ietfa.amsl.com> <20160229223447.78935641@pallas.home.time-travellers.org>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <31a8330c-b14a-bd75-5432-380758f95a2c@bogus.com>
Date: Mon, 29 Feb 2016 13:39:51 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <20160229223447.78935641@pallas.home.time-travellers.org>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="01SgCIdCjxlaaUbxv6keuJ1lSAIaeorRd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/7CTu6wIvFXJcy3eMzL_IpKtj-Q4>
Cc: tjw.ietf@gmail.com, draft-ietf-dprive-edns0-padding@ietf.org, dns-privacy@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org
Subject: Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 21:39:59 -0000
On 2/29/16 1:34 PM, Shane Kerr wrote: > Joel, > > At 2016-02-29 11:55:27 -0800 > "Joel Jaeggli" <joelja@bogus.com> wrote: >> >> This is just something I want to discuss, it's not an objection... >> >> At this point we say: >> >> Implementations therefore >> SHOULD avoid using this option if the DNS transport is not encrypted. >> >> If you did allow this on unencrypted dns transport this seems like it >> serves as a utility function for DNS amplification. >> >> Wouldn't it be better to say MUST NOT? >> >> e.g. this is exclusively for use with TLS / DTLS supporting sessions? > > If the concern is amplification, then this is independent of > encryption. Unencrypted TCP or even DNS cookies should address the > concern, the same as they do for any large response. > > In the interests of simplicity I think your suggestion of making it a > MUST NOT makes sense though. Perhaps a sentence explaining the > motivation for such a strong recommendation is beneficial in that case. > > Something like: > > The use of the EDNS(0) Padding provides only a benefit when DNS > packets are not transported in clear text. Further, it is possible > EDNS(0) Padding may make DNS amplification attacks easier. > Implementations therefore MUST NOT use this option if the DNS > transport is not encrypted. > > Personally I would be happy if the definition of "DNS transport" > remains vague in the hopes of covering everything. ;) I like this proposal just fine, if we're not violating the assumptions of any of the participants... thanks joel > Cheers, > > -- > Shane >
- [dns-privacy] Joel Jaeggli's Discuss on draft-iet… Joel Jaeggli
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Stephen Farrell
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Barry Leiba
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Stephen Farrell
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Shane Kerr
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… joel jaeggli
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Warren Kumari
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Mark Andrews
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Joel Jaeggli