IETF Logo Mail Archive

[dns-privacy] DNS over TLS for zone transfers?

Shane Kerr <shane@time-travellers.org> Tue, 17 January 2017 10:22 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8D7129450 for <dns-privacy@ietfa.amsl.com>; Tue, 17 Jan 2017 02:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Amhny9O8n1N for <dns-privacy@ietfa.amsl.com>; Tue, 17 Jan 2017 02:22:47 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8A712941E for <dns-privacy@ietf.org>; Tue, 17 Jan 2017 02:22:47 -0800 (PST)
Received: from [240c:f:1:4000:8a63:3b33:66a5:1600] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1cTQuf-0002ay-0D for dns-privacy@ietf.org; Tue, 17 Jan 2017 10:22:49 +0000
Date: Tue, 17 Jan 2017 18:22:29 +0800
From: Shane Kerr <shane@time-travellers.org>
To: dns-privacy@ietf.org
Message-ID: <20170117182229.73efff48@pallas.home.time-travellers.org>
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/nGacZm/fu4MiFxv.czFZsfg"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LvhxSnm9SDnD2PxV8RK4O5eF7Eo>
Subject: [dns-privacy] DNS over TLS for zone transfers?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 10:22:48 -0000

Hello,

I'm sorry if it has already been discussed, but has there been any work
done on using TLS for AXFR/IXFR?

It seems like it should be relatively straightforward, compared to the
stub-to-resolver and resolver-to-authority links. While it does not
seem as big of a problem either, obviously somebody cares about hiding
the contents of zones or everybody wouldn't block zone transfers,
right? 

There are still some issues to consider, such as what the interaction of
TSIG and TLS certificates means, as well as what method a master can
use to signal TLS support (this seems desirable to me, although not
necessary).

Does this seem like something worth working on? Or is it a distraction
from the resolver-to-authority work?

Note also that it might be worthwhile building a new zone transfer
protocol that can perform better in areas where AXFR and IXFR don't
work well today (unnecessary data in IXFR of signed zones, inefficiency
for synchronizing lots of zones, automatic fallback to full zone
transfer on IXFR failure, and so on). That's not really something for
DPRIVE, of course, but adding TLS to the protocol could be rolled into
such an activity.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email