Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls.
Stephane Bortzmeyer <bortzmeyer@nic.fr> Mon, 22 August 2016 15:13 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DF1212D6A6; Mon, 22 Aug 2016 08:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.448
X-Spam-Level:
X-Spam-Status: No, score=-7.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN6GedkldTob; Mon, 22 Aug 2016 08:13:03 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1344C12D6B5; Mon, 22 Aug 2016 08:13:01 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 46F572803CD; Mon, 22 Aug 2016 17:12:59 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id 40CF22802E0; Mon, 22 Aug 2016 17:12:59 +0200 (CEST)
Received: from b12.nic.fr (unknown [192.134.7.106]) by relay2.nic.fr (Postfix) with ESMTP id 3EDD8B38024; Mon, 22 Aug 2016 17:12:29 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 2F67B3FE85; Mon, 22 Aug 2016 17:12:29 +0200 (CEST)
Date: Mon, 22 Aug 2016 17:12:29 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Warren Kumari <warren@kumari.net>
Message-ID: <20160822151229.k5wms6k6kktrut4o@nic.fr>
References: <CAHw9_iLWW-e_de9ieq_oe_eR=RBWg9swG7EiAPTp93825Vm=pw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHw9_iLWW-e_de9ieq_oe_eR=RBWg9swG7EiAPTp93825Vm=pw@mail.gmail.com>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.6.0-1-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.6.2-neo (2016-07-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/mhCZ4wPr3ao9xMdQAEtQ0Peyy4Q>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "DPRIVE-chairs@tools.ietf.org" <DPRIVE-chairs@tools.ietf.org>, draft-ietf-dprive-dnsodtls@ietf.org
Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls.
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 15:13:05 -0000
On Tue, Aug 16, 2016 at 01:05:40PM -0400, Warren Kumari <warren@kumari.net> wrote a message of 38 lines which said: > https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsodtls/ I've read it (the last version, -10) and, for me, it is OK, and ready to be sent to the next step. I would like to make it a bit shorter by deleting two sentences, "An active attacker can send bogus responses causing misdirection of the subsequent connection" in the abstract and "Active attackers have long been successful at injecting bogus responses, causing cache poisoning and causing misdirection of the subsequent connection (if attacking A or AAAA records). A popular mitigation against that attack is to use ephemeral and random source ports for DNS queries [RFC5452]." in section 1. Both are about an attack which is *not* mitigated by DNS-over-DTLS and these two sentences are clearly out of scope. (The relationship with DNSSEC, which solves these attacks, is already handled in section 1.1.) Otherwise, now that the well-knon port is not absolutely mandatory, I suggest to change "Once the DNS client succeeds in receiving HelloVerifyRequest from the server via UDP on the well-known port for DNS-over-DTLS" to "Once the DNS client succeeds in receiving HelloVerifyRequest from the server via UDP from the port used for DNS-over-DTLS". RFC 2119 mandatory flame war: "the DNS client may want to probe the server using DTLS heartbeat" May or MAY?
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Christian Huitema
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- [dns-privacy] Start of WGLC for draft-ietf-dprive… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Stephane Bortzmeyer
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Allison Mankin
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Allison Mankin
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)