IETF Logo Mail Archive

Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 20 March 2014 14:23 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2304C1A08C3 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 07:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrIIwoB9KVDo for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 07:23:20 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) by ietfa.amsl.com (Postfix) with ESMTP id AF4071A08B7 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 07:23:17 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id A27FD3B89F; Thu, 20 Mar 2014 15:23:06 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id 5AA71CB91C; Thu, 20 Mar 2014 15:20:20 +0100 (CET)
Date: Thu, 20 Mar 2014 15:20:20 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tony Finch <dot@dotat.at>
Message-ID: <20140320142020.GA12147@sources.org>
References: <20140320103354.GA14856@nic.fr> <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 7.3
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/hd1gbGWLj2euqMfJw2p-x-00dgY
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 14:23:23 -0000

On Thu, Mar 20, 2014 at 11:04:13AM +0000,
 Tony Finch <dot@dotat.at> wrote 
 a message of 65 lines which said:

> You say "[RFC2181] suggests an algorithm to find the zone cut" but
> although it describes what a zone cut looks like I can't see any
> clear description of an algorithm for finding them.

The wording in my draft is not perfect. Indeed, DNS RFCs rarely
describe algorithms, probably to let some freedom to the
implementations.

>    Another note is that the answer to the NS query, unlike the referral
>    sent when the question is a full qname, is in the Answer section, not
>    in the Authoritative section.

Also a poor wording since it is the Authority section, not the
Authoritative one. (Which, by the way, answers your concern.)

> This goes back to subtleties in the algorithm :-)

Following the general principle of DNS RFCs, I do not think it would
be wise to specify an algorithm for resolution with qname
minimisation, since there is none for traditional resolution.

>   fr          IN NS ?
>   ratp.fr     IN NS ?
>   www.ratp.fr IN NS ?
>   www.ratp.fr IN A ?
>   www.ratp.fr IN AAAA ?

You did not mention the zone which will receive the queries. The third
query will work, even with the broken Alteon load balancers, since it
will be sent to the NS of ratp.fr.

> Or should you skip the third query?

It MAY (RFC 2119) be skipped since a zone cut is not possible because
there is just one label more than the previous name.

> Skipping the third query would improve latency in most cases (when
> there isn't a zone cut at the leaf), but it leads to leakage. For
> example, consider a domain like google.com: do you want the .com
> name servers to know if you are sending mail to Google, rather than
> just looking at their web site?

I do not understand. Do you refer to gmail.com/google.com? If so,
indeed, a resolver has no way of knowing that the two domains are
related and so leakage will occur. If you refer to
mail.google.com/www.google.com, then, assuming mail.google.com is
subdelegated, the list of queries for "A mail.google.com" will be:

(to .) NS com.
(to com.) NS google.com
OPTIONAL (to google.com) NS mail.google.com
(to google.com or to mail.google.com) A mail.google.com

And then for "A www.google.com":

OPTIONAL (to google.com) NS www.google.com
(to google.com or to www.google.com) A www.google.com

I see no leakage. Of course, the DNSmaster of google.com will learn
things but there is no way to avoid that.

v2.23.0 | Report a Bug | By Email