Re: [dns-privacy] FW: New Version Notification for draft-wing-dprive-dnsodtls-00.txt
"Prashanth Patil (praspati)" <praspati@cisco.com> Wed, 22 April 2015 19:06 UTC
Return-Path: <praspati@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2321B2A46 for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2015 12:06:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.911
X-Spam-Level:
X-Spam-Status: No, score=-13.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z8i9UjOK6Sna for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2015 12:06:18 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 029701B2A74 for <dns-privacy@ietf.org>; Wed, 22 Apr 2015 12:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3388; q=dns/txt; s=iport; t=1429729576; x=1430939176; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=i0aIlL16OQB6QL7gkuy1SWHZpgP9nklL073anQXPf3U=; b=ZeFYHEbqWvIrmykm/OlUuhtxJzuVBh4B7C1WSqqgjDIlU2AJbLQAs/ii nlKebxN2qXyb+N7Ol+9dqhIEADdciGLE8PJfiU8FxnuNeBi0sM0XIo7CN tIYD9bVwSg0Wt6Afz/af4RvTNq8lQElct0JQa7wqorjVJiQUZeH3XTFMx 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BfBAAr8DdV/49dJa1bgwyBLgWDE8ILZgmHUwIcgRw4FAEBAQEBAQGBCoQgAQEBAwE0QwIFCwIBCBwoAgIwHAkCBAENBYgjCJsknHoGlQoBAQEBAQEBAQEBAQEBAQEBAQEBGYEbihyEORgzB4JigUsBBI8bgiCKKoEikEGDTiKBZCEZBBWBPG+BBCQcgQABAQE
X-IronPort-AV: E=Sophos;i="5.11,625,1422921600"; d="scan'208";a="143631817"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-6.cisco.com with ESMTP; 22 Apr 2015 19:06:15 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t3MJ6Fn7013367 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 22 Apr 2015 19:06:15 GMT
Received: from xmb-rcd-x07.cisco.com ([169.254.7.109]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.03.0195.001; Wed, 22 Apr 2015 14:06:14 -0500
From: "Prashanth Patil (praspati)" <praspati@cisco.com>
To: Simon Josefsson <simon@josefsson.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Thread-Topic: [dns-privacy] FW: New Version Notification for draft-wing-dprive-dnsodtls-00.txt
Thread-Index: AQHQfAbL09OypWp+Y0adNgn/qC3Sig==
Date: Wed, 22 Apr 2015 19:06:13 +0000
Message-ID: <D15D3E27.4FACB%praspati@cisco.com>
References: <20150421074257.29046.92189.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A41211DB0@xmb-rcd-x10.cisco.com> <874mo9hg0e.fsf@latte.josefsson.org>
In-Reply-To: <874mo9hg0e.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
x-originating-ip: [10.155.208.254]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <C1781C5DF1EB184F97361F95F0E30776@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/lVkCqeDVugmT1Xa_MPVMqlY9J5s>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] FW: New Version Notification for draft-wing-dprive-dnsodtls-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 19:06:20 -0000
Hi Simon, Appreciate the review. On 4/21/15, 4:34 AM, "Simon Josefsson" <simon@josefsson.org> wrote: >Hi. Quoting section 3.2: > > To authenticate the server providing DNS privacy, the DNS client > needs to be configured with the names of those DNS privacy servers. > When connecting a DNS privacy server, the server's IP address can be > converted to its hostname by doing a DNS PTR lookup, verifying that > the name matches the pre-configured list of DNS privacy servers, and > finally validating its certificate trust chain or a local list of > certificates. > >Your first sentence says that DNS client needs to be configured with the >names of those DNS privacy servers. The second sentence starts with >"When connecting...". Presumably, the DNS client needs an IP address to >connect. How does it get that? The idea was to have a configuration list that only has names of trusted servers. A client discovers an IP address to connect using any of the existing techniques that clients use today e.g. DHCP. > Would it be correct to change the first >sentence into: > > the DNS client needs to be configured with IP addresses and names of > those DNS privacy servers, so that each IP address is associated with > one name. Yes, I suppose we could also have the list include Name+IP address combinations. This would form a default list of servers that a client can connect with, if the client failed to learn a DNS server OR didn¹t want to use a DNS server learned via DHCP. > >Further, the second sentence suggest that the client do a PTR lookup. >This presumably needs to happen after the TLS handshake has finished, >which is where certificate validation usually happens. However, I don't >understand why this PTR dance is useful. Why can't the client just >compare the name it has configured for that IP address with the name >presented in the certificate from the server? It seems this PTR >approach would be a way to avoid the need foor clients to configure a >name, but you already said in the document that it has to know a name. The PTR approach was included to address the case when a client was only configured with trusted DNS names and not IPs associated with those names. > >Generally, I believe you want to reference RFC 6125 and speak in the >terminology of that document for better clarity on TLS certificate >validation. Thanks. -Prashanth > >/Simon
- [dns-privacy] FW: New Version Notification for dr… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] FW: New Version Notification fo… Simon Josefsson
- Re: [dns-privacy] FW: New Version Notification fo… Prashanth Patil (praspati)