IETF Logo Mail Archive

Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt

Sara Dickinson <sara@sinodun.com> Tue, 27 October 2015 15:10 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7B6E1A9036 for <dns-privacy@ietfa.amsl.com>; Tue, 27 Oct 2015 08:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7gkV0thdyGc for <dns-privacy@ietfa.amsl.com>; Tue, 27 Oct 2015 08:10:11 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8083A1A9044 for <dns-privacy@ietf.org>; Tue, 27 Oct 2015 08:10:09 -0700 (PDT)
Received: from [62.232.251.194] (port=4256 helo=virgo.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85) (envelope-from <sara@sinodun.com>) id 1Zr5sz-0000aD-AP; Tue, 27 Oct 2015 15:10:06 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_D2022C97-C045-48F1-A359-6360B5E965A4"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <e8ffc282d2d7438a92c97f87df1f0c81@XCH-RCD-017.cisco.com>
Date: Tue, 27 Oct 2015 15:10:05 +0000
Message-Id: <5F3D3EC4-5C2A-4AAC-B3D4-49E679DAE0F4@sinodun.com>
References: <20151019030605.15884.65486.idtracker@ietfa.amsl.com> <6e3c9bb1564c45eab4b9e4732e816d28@XCH-RCD-017.cisco.com> <FF902A3C-1BA3-49D0-8845-48A2A2B98770@sinodun.com> <e8ffc282d2d7438a92c97f87df1f0c81@XCH-RCD-017.cisco.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
X-Mailer: Apple Mail (2.2104)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/YlErKkrNU84lg4pKVif_EU2ORB4>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-02.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 15:10:13 -0000

> On 27 Oct 2015, at 12:06, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
> 
> Hi Sara,

Hi Tiru, 

Thanks for the quick response.

>   
> [TR] Yes. The other alternative would be to set the first three bits in the Opcode to 1 to identify fragmented response (Opcodes 14 and 15 will have to be reserved).  

Reserving 2 Opcodes compared to 8 seems preferable :-) although non-optimal.  If the format of the ‘fragmentation’ protocol header were changed to contain all 4 bits of the OpCode field then only a single Opcode would be required which would minimise the impact on DNS. Do you have a name for the new fragmentation protocol to easily distinguish it from DNS in these discussions? DDF (DNS-over-DTLS Fragmentation) seems like the obvious one to me…..

FWIIW - I prefer the concept of finding a single mechanism to cater for fragmentation in both UDP and DTLS (for example, https://datatracker.ietf.org/doc/draft-muks-dns-message-fragments/ <https://datatracker.ietf.org/doc/draft-muks-dns-message-fragments/>) rather than defining a new protocol that ‘resembles’ DNS. But that would require significant protocol development. 

>  
> 2) The IANA Considerations section requests assignment of a new DTLS header (specifically for DNS fragmentation). However isn’t that something that would have to go via the TLS WG, not DPRIVE?
>  
> [TR] Other WG had defined DTLS extensions in the past (for example https://datatracker.ietf.org/doc/rfc5764/ <https://datatracker.ietf.org/doc/rfc5764/> is the outcome of  AVT WG)

I may be wrong, but in those cases I think the charter of the working group explicitly covered extensions to core protocols, whereas DPRIVE's doesn’t?

>  
> 3) As is pointed out there are still (rare) cases where the proposed solution could fail and the draft states that if that happens the server MUST set the TC bit. However there is no statement about what a client should do in that case. Should it fallback to TLS or TCP? 
>  
> [TR] Yes, will add more details in the next revision.

Actually this is an optional mechanism isn’t it, so the fallback case will occur if the client chooses not to implement it. 

And I have just seen the statement in https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00#section-5 on this:

“If the DNS sever's response exceeds the EDNS0 value, the DNS server
   sets the TC (truncated) bit.  On receiving a response with the TC bit
   set, the client establishes a DNS-over-TLS connection to the same
   server, and sends a new DNS request for the same resource record.”

Sara.

v2.23.0 | Report a Bug | By Email