Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 20 March 2014 14:23 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2304C1A08C3 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 07:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrIIwoB9KVDo for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 07:23:20 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) by ietfa.amsl.com (Postfix) with ESMTP id AF4071A08B7 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 07:23:17 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id A27FD3B89F; Thu, 20 Mar 2014 15:23:06 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id 5AA71CB91C; Thu, 20 Mar 2014 15:20:20 +0100 (CET)
Date: Thu, 20 Mar 2014 15:20:20 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tony Finch <dot@dotat.at>
Message-ID: <20140320142020.GA12147@sources.org>
References: <20140320103354.GA14856@nic.fr> <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 7.3
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/hd1gbGWLj2euqMfJw2p-x-00dgY
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 14:23:23 -0000
On Thu, Mar 20, 2014 at 11:04:13AM +0000, Tony Finch <dot@dotat.at> wrote a message of 65 lines which said: > You say "[RFC2181] suggests an algorithm to find the zone cut" but > although it describes what a zone cut looks like I can't see any > clear description of an algorithm for finding them. The wording in my draft is not perfect. Indeed, DNS RFCs rarely describe algorithms, probably to let some freedom to the implementations. > Another note is that the answer to the NS query, unlike the referral > sent when the question is a full qname, is in the Answer section, not > in the Authoritative section. Also a poor wording since it is the Authority section, not the Authoritative one. (Which, by the way, answers your concern.) > This goes back to subtleties in the algorithm :-) Following the general principle of DNS RFCs, I do not think it would be wise to specify an algorithm for resolution with qname minimisation, since there is none for traditional resolution. > fr IN NS ? > ratp.fr IN NS ? > www.ratp.fr IN NS ? > www.ratp.fr IN A ? > www.ratp.fr IN AAAA ? You did not mention the zone which will receive the queries. The third query will work, even with the broken Alteon load balancers, since it will be sent to the NS of ratp.fr. > Or should you skip the third query? It MAY (RFC 2119) be skipped since a zone cut is not possible because there is just one label more than the previous name. > Skipping the third query would improve latency in most cases (when > there isn't a zone cut at the leaf), but it leads to leakage. For > example, consider a domain like google.com: do you want the .com > name servers to know if you are sending mail to Google, rather than > just looking at their web site? I do not understand. Do you refer to gmail.com/google.com? If so, indeed, a resolver has no way of knowing that the two domains are related and so leakage will occur. If you refer to mail.google.com/www.google.com, then, assuming mail.google.com is subdelegated, the list of queries for "A mail.google.com" will be: (to .) NS com. (to com.) NS google.com OPTIONAL (to google.com) NS mail.google.com (to google.com or to mail.google.com) A mail.google.com And then for "A www.google.com": OPTIONAL (to google.com) NS www.google.com (to google.com or to www.google.com) A www.google.com I see no leakage. Of course, the DNSmaster of google.com will learn things but there is no way to avoid that.
- [dns-privacy] [internet-drafts@ietf.org: I-D Acti… Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Florian Weimer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Casey Deccio
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Florian Weimer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Joe Abley
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] a qname minimization algorithm Tony Finch