IETF Logo Mail Archive

Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 27 October 2015 16:03 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 044151A9140 for <dns-privacy@ietfa.amsl.com>; Tue, 27 Oct 2015 09:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkvPhd4lo08Y for <dns-privacy@ietfa.amsl.com>; Tue, 27 Oct 2015 09:02:55 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972141A9133 for <dns-privacy@ietf.org>; Tue, 27 Oct 2015 09:02:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23362; q=dns/txt; s=iport; t=1445961775; x=1447171375; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=r4Vxd4f4HwVw0OZXgKjiyN3kLpiFda5Zc8gh8KuGjVQ=; b=md4R67AXKUkXnJu/1/q8Cs9n4zE7lcYYqqktuTHqsgbUjRDYG8A/buE3 S0gNz8joLfu0lPxFlZRVs+YlZI1NFLpvTBHCzrAkyEtcYyyaR7y6Fd92l nYVJoOMezfPe9t+hJzuv9gd3NYKMGGr0JHQUo0vtyd4SneqTrjiQZ/Uap 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D5AQDYni9W/5RdJa1UCoJpTVRvBr8AAQ2BWiOFdwIcgSI4FAEBAQEBAQGBCoQyAQEBBCMKTBACAQgRBAEBKAMCAgIwFAkIAgQOBQgTiBUNs0uSIgEBAQEBAQEBAQEBAQEBAQEBAQEBARQEhneEfoQwEkcEBgEGgmOBRQWNGYVKg1UBhRuIAZw4AR8BAUKEBHKEaIEGAQEB
X-IronPort-AV: E=Sophos; i="5.20,205,1444694400"; d="scan'208,217"; a="39521552"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-7.cisco.com with ESMTP; 27 Oct 2015 16:02:54 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t9RG2sCx014200 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 27 Oct 2015 16:02:54 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 27 Oct 2015 11:02:30 -0500
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1104.000; Tue, 27 Oct 2015 11:02:30 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Sara Dickinson <sara@sinodun.com>
Thread-Topic: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt
Thread-Index: AQHRChsglhCvWZe3gUa5zmOLuQe20Z5yIkIQgA1ZwID//8T+AIAAkbqA//+tCtA=
Date: Tue, 27 Oct 2015 16:02:30 +0000
Message-ID: <6e712832c20349c791a907ba5e91d27d@XCH-RCD-017.cisco.com>
References: <20151019030605.15884.65486.idtracker@ietfa.amsl.com> <6e3c9bb1564c45eab4b9e4732e816d28@XCH-RCD-017.cisco.com> <FF902A3C-1BA3-49D0-8845-48A2A2B98770@sinodun.com> <e8ffc282d2d7438a92c97f87df1f0c81@XCH-RCD-017.cisco.com> <5F3D3EC4-5C2A-4AAC-B3D4-49E679DAE0F4@sinodun.com>
In-Reply-To: <5F3D3EC4-5C2A-4AAC-B3D4-49E679DAE0F4@sinodun.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.55.189]
Content-Type: multipart/alternative; boundary="_000_6e712832c20349c791a907ba5e91d27dXCHRCD017ciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/QVdWvArwyrXgX9qjWsbFRds-mg8>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 16:03:00 -0000

Inline [TR2]

From: dns-privacy [mailto:dns-privacy-bounces@ietf.org] On Behalf Of Sara Dickinson
Sent: Tuesday, October 27, 2015 8:40 PM
To: Tirumaleswar Reddy (tireddy)
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt


On 27 Oct 2015, at 12:06, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote:

Hi Sara,

Hi Tiru,

Thanks for the quick response.



[TR] Yes. The other alternative would be to set the first three bits in the Opcode to 1 to identify fragmented response (Opcodes 14 and 15 will have to be reserved).

Reserving 2 Opcodes compared to 8 seems preferable :-) although non-optimal.  If the format of the ‘fragmentation’ protocol header were changed to contain all 4 bits of the OpCode field then only a single Opcode would be required which would minimise the impact on DNS.

[TR2] Works for me.

Do you have a name for the new fragmentation protocol to easily distinguish it from DNS in these discussions? DDF (DNS-over-DTLS Fragmentation) seems like the obvious one to me…..

[TR2] Thanks, DDF looks good ☺

FWIIW - I prefer the concept of finding a single mechanism to cater for fragmentation in both UDP and DTLS (for example, https://datatracker.ietf.org/doc/draft-muks-dns-message-fragments/) rather than defining a new protocol that ‘resembles’ DNS. But that would require significant protocol development.

[TR] In addition to the above point draft-muks-dns-message-fragments has the following issues to be resolved:
* This draft does not yet discuss RR change with re-transmissions.
* Middle boxes may not understand the new EDNS0 option and drop the response but is not a problem if used over DTLS.
* Yet to discuss fragment loss.
* Server does not know if client supports the extension, max fragments the client can handle.
* It also needs to discuss the impact of the proposed extension on DNS amplification attack.


2) The IANA Considerations section requests assignment of a new DTLS header (specifically for DNS fragmentation). However isn’t that something that would have to go via the TLS WG, not DPRIVE?

[TR] Other WG had defined DTLS extensions in the past (for example https://datatracker.ietf.org/doc/rfc5764/ is the outcome of  AVT WG)

I may be wrong, but in those cases I think the charter of the working group explicitly covered extensions to core protocols, whereas DPRIVE's doesn’t?

[TR2] I don’t see the charter of AVT WG discussing extending DTLS. Anyways I am sure WG chairs can help progress the draft, once the WG finalizes the proposed DDF.


3) As is pointed out there are still (rare) cases where the proposed solution could fail and the draft states that if that happens the server MUST set the TC bit. However there is no statement about what a client should do in that case. Should it fallback to TLS or TCP?

[TR] Yes, will add more details in the next revision.

Actually this is an optional mechanism isn’t it, so the fallback case will occur if the client chooses not to implement it.

[TR2] Yup.

-Tiru

And I have just seen the statement in https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00#section-5 on this:

“If the DNS sever's response exceeds the EDNS0 value, the DNS server

   sets the TC (truncated) bit.  On receiving a response with the TC bit

   set, the client establishes a DNS-over-TLS connection to the same

   server, and sends a new DNS request for the same resource record.”

Sara.

v2.23.0 | Report a Bug | By Email