Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 20 March 2014 15:28 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE9E1A0759 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 08:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmHJozAC-xVR for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 08:28:16 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) by ietfa.amsl.com (Postfix) with ESMTP id 2A8BD1A0750 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 08:28:16 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 3B67F3B8A0; Thu, 20 Mar 2014 16:28:06 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id B98DFCA2FC; Thu, 20 Mar 2014 16:27:38 +0100 (CET)
Date: Thu, 20 Mar 2014 16:27:38 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tony Finch <dot@dotat.at>
Message-ID: <20140320152738.GA18554@sources.org>
References: <20140320103354.GA14856@nic.fr> <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk> <20140320142020.GA12147@sources.org> <alpine.LSU.2.00.1403201425560.30415@hermes-1.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1403201425560.30415@hermes-1.csi.cam.ac.uk>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 7.3
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/ldwODPHvfH8xmM49zNBLxLtdxIo
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 15:28:18 -0000
On Thu, Mar 20, 2014 at 03:06:48PM +0000, Tony Finch <dot@dotat.at> wrote a message of 110 lines which said: > ;; AUTHORITY SECTION: > ac.uk. 172800 IN NS auth03.ns.uu.net. OK, I get it, sorry. Paragraph deleted from my local copy of the draft. > > Following the general principle of DNS RFCs, I do not think it would > > be wise to specify an algorithm for resolution with qname > > minimisation, since there is none for traditional resolution. > > RFC 1034 section 4.3.2. OK, but it won't help since it is for authoritative name servers. Resolvers are at section 5.3.3 and the algorithm is so sketchy that it does not even mention the content of the query sent to authoritative name servers. Also, qname minimisation is _not_ a change in the protocol, it's more an unilateral best practice ("privacy optimization"), and therefore does not need to be specified by an algorithm. If several resolvers implement it slightly differently, it is not a problem. > No, I mean, if I go to http://google.com in my browser, I will make A and > AAAA queries for google.com, but if I send mail to a Google employee I > will make MX queries for google.com. > > So if you skip the NS query for google.com (because it is the whole of the > QNAME in this case) you will leak the A vs MX difference to the .com > servers. Said otherwise, if you skip the NS query step, and send "A google.com" to the .com name servers, Verisign's name servers will send you back a referral and then you'll learn the zone cut (this is what every resolver already does today). So, there will be a leak only for the first request (a simple heuristic to avoid this would be to always send the NS query for the first two labels). Anyway, I have no problem with saying that you should always send the NS query to be sure, and too bad for the broken name servers like those of www.ratp.fr. I even think Mark Andrews will agree with me here :-)
- [dns-privacy] [internet-drafts@ietf.org: I-D Acti… Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Florian Weimer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Casey Deccio
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Florian Weimer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Phillip Hallam-Baker
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Stephane Bortzmeyer
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Joe Abley
- Re: [dns-privacy] [internet-drafts@ietf.org: I-D … Tony Finch
- Re: [dns-privacy] a qname minimization algorithm Tony Finch