[dns-privacy] DNS over TLS for zone transfers?
Shane Kerr <shane@time-travellers.org> Tue, 17 January 2017 10:22 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8D7129450 for <dns-privacy@ietfa.amsl.com>; Tue, 17 Jan 2017 02:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Amhny9O8n1N for <dns-privacy@ietfa.amsl.com>; Tue, 17 Jan 2017 02:22:47 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8A712941E for <dns-privacy@ietf.org>; Tue, 17 Jan 2017 02:22:47 -0800 (PST)
Received: from [240c:f:1:4000:8a63:3b33:66a5:1600] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1cTQuf-0002ay-0D for dns-privacy@ietf.org; Tue, 17 Jan 2017 10:22:49 +0000
Date: Tue, 17 Jan 2017 18:22:29 +0800
From: Shane Kerr <shane@time-travellers.org>
To: dns-privacy@ietf.org
Message-ID: <20170117182229.73efff48@pallas.home.time-travellers.org>
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/nGacZm/fu4MiFxv.czFZsfg"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LvhxSnm9SDnD2PxV8RK4O5eF7Eo>
Subject: [dns-privacy] DNS over TLS for zone transfers?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 10:22:48 -0000
Hello, I'm sorry if it has already been discussed, but has there been any work done on using TLS for AXFR/IXFR? It seems like it should be relatively straightforward, compared to the stub-to-resolver and resolver-to-authority links. While it does not seem as big of a problem either, obviously somebody cares about hiding the contents of zones or everybody wouldn't block zone transfers, right? There are still some issues to consider, such as what the interaction of TSIG and TLS certificates means, as well as what method a master can use to signal TLS support (this seems desirable to me, although not necessary). Does this seem like something worth working on? Or is it a distraction from the resolver-to-authority work? Note also that it might be worthwhile building a new zone transfer protocol that can perform better in areas where AXFR and IXFR don't work well today (unnecessary data in IXFR of signed zones, inefficiency for synchronizing lots of zones, automatic fallback to full zone transfer on IXFR failure, and so on). That's not really something for DPRIVE, of course, but adding TLS to the protocol could be rolled into such an activity. Cheers, -- Shane
- [dns-privacy] DNS over TLS for zone transfers? Shane Kerr
- Re: [dns-privacy] DNS over TLS for zone transfers? Mukund Sivaraman
- Re: [dns-privacy] DNS over TLS for zone transfers? Mark Andrews
- Re: [dns-privacy] DNS over TLS for zone transfers? Paul Hoffman
- Re: [dns-privacy] DNS over TLS for zone transfers? Robert Edmonds
- Re: [dns-privacy] DNS over TLS for zone transfers? Mukund Sivaraman
- Re: [dns-privacy] DNS over TLS for zone transfers? Mukund Sivaraman
- Re: [dns-privacy] DNS over TLS for zone transfers? Ask Bjørn Hansen
- Re: [dns-privacy] DNS over TLS for zone transfers? Robert Edmonds
- Re: [dns-privacy] DNS over TLS for zone transfers? Mukund Sivaraman
- Re: [dns-privacy] DNS over TLS for zone transfers? John Heidemann