Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses

Joe Abley <> Wed, 19 March 2014 19:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4BC5C1A07B3 for <>; Wed, 19 Mar 2014 12:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xtDXFwbG1hYg for <>; Wed, 19 Mar 2014 12:25:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c01::22c]) by (Postfix) with ESMTP id F06981A048C for <>; Wed, 19 Mar 2014 12:25:53 -0700 (PDT)
Received: by with SMTP id wm4so8707670obc.31 for <>; Wed, 19 Mar 2014 12:25:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XCHIFzHpXsFK5V1hJpXyh+T5gfaNdv71xE6yddpLjj0=; b=EUR++aw+NmhznZnK5TBldNKbbwugLzvYpmTp1P3RapMMK81/eXKGKvd3kg2UzrcvvT mzaUWzoSB0jVwWvWT7Iac3paEdm/rpDVmtWz/T8aoPRN0+VHa/WUjMyVseA0WcpLOCtU /IzgYgFn7EwYQg5C+vFnJK57i1xmn4s7GElXw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=XCHIFzHpXsFK5V1hJpXyh+T5gfaNdv71xE6yddpLjj0=; b=QQ1s9jHDZc+6t5OnLEJesUvu17jcayOeJSmnKRqyX5gTRWKHROSubFK9d4xGQ7a5Ij PmtTrZOZyP0jQ6iQh0/CTfdQmcabRLMYn8AnNKLFE8mLhpdSWlQkNa3DMj9heVkumfSQ w3uzHmJKyat0GUPhHKbCJWPNf/10Soj1DL6ImJsA+jmx2jyepPlCQdVS/QNsnk0Hpk+J EHKvyYYdYRAWhzGUeYnjlrQJ106WGi0riznBA0LCMMRfCarFOaqpgHP12EuOhHfGJx8G lziy/urRifKnuhCfbJ/nWjcs/wX4FHQhF8vzJCZlYs6+dZMQdGf1TtpshRftc5tvcy4h vx9w==
X-Gm-Message-State: ALoCoQn7UcpgBIw5AvBiSg9ArOvwQWFxhi09A5RufhUGpMaTaK28/HVDQ9rgHV/zzAgxXMLU/n3t
X-Received: by with SMTP id ls5mr3002559obb.52.1395257145022; Wed, 19 Mar 2014 12:25:45 -0700 (PDT)
Received: from ?IPv6:2001:4900:1042:1:fc77:c9ea:8cef:9f58? ([2001:4900:1042:1:fc77:c9ea:8cef:9f58]) by with ESMTPSA id fn10sm39005302obb.12.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Mar 2014 12:25:44 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Joe Abley <>
In-Reply-To: <>
Date: Wed, 19 Mar 2014 15:25:42 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Phillip Hallam-Baker <>
X-Mailer: Apple Mail (2.1874)
Cc:, Paul Wouters <>
Subject: Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Mar 2014 19:25:55 -0000

On 19 Mar 2014, at 15:18, Phillip Hallam-Baker <> wrote:

> If you take DNS messages and encrypt them, the result is not DNS
> messages. There are hacks that can be used to tunnel non-DNS messages
> over DNS but that is a different issue.

Well, to the extent that you believe that DNS is not extensible for these purposes (e.g. via EDNS0 or EDNSn, n > 0).

> As I see it, port 53 is for DNS protocol messages as in DNSv1.0
> protocol without encryption.

This was a point we made (perhaps weakly) in draft-jabley-dnsop-dns-onion.

The bits of that idea that use port 53 are regular, unmolested DNS queries. All the other bits could be RESTful APIs over HTTPS pools, or whatever else you like. Whatever other weaknesses one might reasonably point out in that proposal, the facts that it (a) works with existing stub resolvers and authority servers without modification and (b) does not require deployment of DNSSEC, are strengths, I think.