Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)
Shane Kerr <shane@time-travellers.org> Mon, 29 February 2016 21:34 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 980F71B3C9F; Mon, 29 Feb 2016 13:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWV_sz5ltrqy; Mon, 29 Feb 2016 13:34:51 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AE521B3C93; Mon, 29 Feb 2016 13:34:51 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aaVSp-0001wC-9j; Mon, 29 Feb 2016 21:34:47 +0000
Date: Mon, 29 Feb 2016 22:34:47 +0100
From: Shane Kerr <shane@time-travellers.org>
To: Joel Jaeggli <joelja@bogus.com>
Message-ID: <20160229223447.78935641@pallas.home.time-travellers.org>
In-Reply-To: <20160229195527.11806.46599.idtracker@ietfa.amsl.com>
References: <20160229195527.11806.46599.idtracker@ietfa.amsl.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/jI_JIj2MvhlhkzR__y3S3biVqGk>
Cc: tjw.ietf@gmail.com, draft-ietf-dprive-edns0-padding@ietf.org, dns-privacy@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org
Subject: Re: [dns-privacy] Joel Jaeggli's Discuss on draft-ietf-dprive-edns0-padding-02: (with DISCUSS)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 21:34:52 -0000
Joel, At 2016-02-29 11:55:27 -0800 "Joel Jaeggli" <joelja@bogus.com> wrote: > > This is just something I want to discuss, it's not an objection... > > At this point we say: > > Implementations therefore > SHOULD avoid using this option if the DNS transport is not encrypted. > > If you did allow this on unencrypted dns transport this seems like it > serves as a utility function for DNS amplification. > > Wouldn't it be better to say MUST NOT? > > e.g. this is exclusively for use with TLS / DTLS supporting sessions? If the concern is amplification, then this is independent of encryption. Unencrypted TCP or even DNS cookies should address the concern, the same as they do for any large response. In the interests of simplicity I think your suggestion of making it a MUST NOT makes sense though. Perhaps a sentence explaining the motivation for such a strong recommendation is beneficial in that case. Something like: The use of the EDNS(0) Padding provides only a benefit when DNS packets are not transported in clear text. Further, it is possible EDNS(0) Padding may make DNS amplification attacks easier. Implementations therefore MUST NOT use this option if the DNS transport is not encrypted. Personally I would be happy if the definition of "DNS transport" remains vague in the hopes of covering everything. ;) Cheers, -- Shane
- [dns-privacy] Joel Jaeggli's Discuss on draft-iet… Joel Jaeggli
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Stephen Farrell
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Barry Leiba
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Stephen Farrell
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Shane Kerr
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… joel jaeggli
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Warren Kumari
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Mark Andrews
- Re: [dns-privacy] Joel Jaeggli's Discuss on draft… Joel Jaeggli