Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
"Jiankang Yao" <yaojk@cnnic.cn> Wed, 08 July 2015 07:21 UTC
Return-Path: <yaojk@cnnic.cn>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40FC21B31C2 for <dns-privacy@ietfa.amsl.com>; Wed, 8 Jul 2015 00:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zK_Gli1SH8Hw for <dns-privacy@ietfa.amsl.com>; Wed, 8 Jul 2015 00:21:09 -0700 (PDT)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBB51AD368 for <dns-privacy@ietf.org>; Wed, 8 Jul 2015 00:21:06 -0700 (PDT)
Received: from healthyao-THINK (unknown [218.241.103.29]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0AJEZVgz5xV0JqJBw--.5543S2; Wed, 08 Jul 2015 15:21:04 +0800 (CST)
Date: Wed, 08 Jul 2015 15:21:03 +0800
From: Jiankang Yao <yaojk@cnnic.cn>
To: Ted Hardie <ted.ietf@gmail.com>
References: <2015070714161016259349@cnnic.cn>, <CA+9kkMAoRAiiLf7uFKP_UFpfvKpT-d=i_KpNxaFQKXcPaxZkMA@mail.gmail.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.0.1.92[cn]
Mime-Version: 1.0
Message-ID: <2015070815195960707175@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart801452675573_=----"
X-CM-TRANSID: AQAAf0AJEZVgz5xV0JqJBw--.5543S2
X-Coremail-Antispam: 1UD129KBjvJXoW7tFW5KF13GFyrAFyfuFWrAFb_yoW5Jr47pF ZYqrnagr1kGr4xAF18Aw48XF4UZFZ3ZF45tFs7Ja1ay3y5Jw1I93y0ka1F9ayUJw1xWFWF va1YvrnrGanY93DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvKb7Iv0xC_tr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Cr0_Gr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I 8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVCF0I0E 4I0vr24lYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4 IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACY4xI67k04243AVAKzVAKj4xxMxkIecxE wVAFwVW8CwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F4 0E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jrv_JF1l IxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxV AFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_ Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JwCE64xvF2IEb7IF0Fy7YxBIdaVFxh VjvjDU0xZFpf9x07je89NUUUUU=
X-CM-SenderInfo: x1dryyw6fq0xffof0/
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/AGylgW91nSUAWwnfbCFIuFtdj1c>
Cc: dns-privacy <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: yaojk <yaojk@cnnic.cn>
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 07:21:11 -0000
From: Ted Hardie
Date: 2015-07-07 23:17
To: yaojk
CC: dns-privacy
Subject: Re: [dns-privacy] Fw: Fw: New Version Notification for draft-zuo-dprive-encryption-over-udp-00.txt
Howdy,
A couple of questions. First, the document appears to say that the stub gets the public key of the recursive resolver from the certificate authority infrastructure, and it cites RFC 5280; that would tell you how to identify a public key from within a cert, but I'm not clear on how you expect the stub to get the cert. Can you explain.
[Jiankang Yao]
Yes, the current version of this draft does not cover how the stub gets the cert. We will clarify it in the next version.
Second, the draft says this:
If the query name is very common and not
relating to user privacy, the stub resolver can do name resolution
through traditional unencrypted way and thus does not need to
implement the approach proposed in this draft. While if the query
name relates to user privacy, the stub resolver can use the method
presented in this draft to encrypt the DNS queries. And accordingly,
the recursive server also encrypts the DNS response with the public
key extracted from the DNS query.
This provides a flag to attackers on what traffic is "sensitive" and should be avoided. Also, the draft does not suggest the rate at which the stub should change its associate public key, but it clearly should do so or it will create a long-lived association of identity with the queries that impacts privacy.
[Jiankang Yao]
the current mechanism is that stub puts its public key into the DNS packet encrypted with Public key of the resolver when the stub sends the query to the resolver each time. so the stub can change its public key anytime before sending its query.
Yes, it is bett that the draft suggests some rate for the assoicated stub public key.
It's also not clear to me, given that the stub public key is sent in the query to the recursive resolver how you avoid an attacker standing up a back-to-back user agent which strips that option, substitutes its own public key, gets the data and then passes it on. (It may be, of course, that this attack is out of scope).
[Jiankang Yao]
Yes, the attacker standing up a back-to-back user agent can strip that option, substitute its own public key, get the data and then pass it on.
but I think that it should be no use because the attacker can not know the contents of the DNS packet send by the stub.
thanks a lot!
Jiankang Yao
- [dns-privacy] Fw: Fw: New Version Notification fo… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… Paul Hoffman
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] New Version Notification for dr… Jiankang Yao
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Jiankang Yao
- Re: [dns-privacy] New Version Notification for dr… 🔓Dan Wing
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Ted Hardie
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… zuopeng@cnnic.cn
- Re: [dns-privacy] Fw: Fw: New Version Notificatio… Hosnieh Rafiee