Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
🔓Dan Wing <dwing@cisco.com> Tue, 27 October 2015 00:27 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7DE1B31C0 for <dns-privacy@ietfa.amsl.com>; Mon, 26 Oct 2015 17:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.21
X-Spam-Level:
X-Spam-Status: No, score=-14.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCaEXHuqGGGT for <dns-privacy@ietfa.amsl.com>; Mon, 26 Oct 2015 17:27:09 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B7131B31BE for <dns-privacy@ietf.org>; Mon, 26 Oct 2015 17:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18987; q=dns/txt; s=iport; t=1445905629; x=1447115229; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=iP8X0I/JIhRdko0z+43OPzjlUJCNg8EX029JC+tyo60=; b=k2x6GCiwoJoYazY3Kd/qDEyedLDa6RbfOVQMt0calVrwbkdHDSz8QtB2 nJ1CTtsGc4hcDfZOPhWLWJrnnqsibprx/pVvVgoMgdPgkrYwlmF8hZkxb lr+c1rvuzGXQzddpTN98vnV+F3myJkEnUIsWmUEo+tR5CMD/+uDdbOS1g U=;
X-IronPort-AV: E=Sophos;i="5.20,202,1444694400"; d="scan'208,217";a="202242539"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Oct 2015 00:27:08 +0000
Received: from [10.24.144.24] ([10.24.144.24]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t9R0R7VC011786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Oct 2015 00:27:07 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_D93A8F02-F607-49BC-92C7-3D9AA046689F"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <831412868.3770931.1445869688703.JavaMail.yahoo@mail.yahoo.com>
Date: Mon, 26 Oct 2015 17:27:06 -0700
Message-Id: <3E19E28F-1572-4ADC-AA3C-05BEE7A376F6@cisco.com>
References: <ee5020e9b38e4ab3bfadc49891442b08@XCH-RCD-017.cisco.com> <831412868.3770931.1445869688703.JavaMail.yahoo@mail.yahoo.com>
To: Muhammad Yousaf <myousaf@ymail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/owsCG3UYsm5ojgSlVIyiWpDpcc0>
Cc: Simon Josefsson <simon@josefsson.org>, Paul Hoffman <paul.hoffman@icann.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Tirumaleswar Reddy <tireddy@cisco.com>
Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 00:27:12 -0000
On 26-Oct-2015 07:28 am, Muhammad Yousaf <myousaf@ymail.com> wrote: > Hi all, > I am new to this list, infact read the document for the first time. So, don't know whether my comments will make any sense or not. > My first feeling is that this document is proposing too much security overhead in the name of privacy protection. > TCP Handshake TCP FastOpen (RFC7413), which would contain the TCP ClientHello > -> TLS Handshake Which would use TLS session resumption w/o server-side state (RFC5077), and TLS FalseStart (draft-ietf-tls-falsestart). > -> DNS Request/Reply -> TLS Close -> TCP Close. The TLS session and TCP connection don't need to be closed right away. If left open, subsequent queries have nearly the same overhead as today's un-encrypted queries, and as long as the network is stable (NAT, firewall, path), DNSoTLS and DNSoDTLS are very similar in their operation. > Although draft discussed the overhead, however, only discussion can't resolve the issue. > Draft also discussed the long term persistant connections and associated security issues with this approach. Again discussion only is not the solution. > Draft also discussed the queued requests and its issue. Again no satisfactory solution. > Also, it is not clear that why we need to encrypt the traffic between recursive server and the authoritative server. What is the privacy issue there? The risk is a victim querying a unique (or nearly unique) resource record), such as ejkfjuiuerekfjekfjekfjekjfejqkjkejqkj.example.com <http://ejkfjuiuerekfjekfjekfjekjfejqkjkejqkj.example.com/> (which might be completely unique to that particular user) or such as "kitten-pictures.blogspot.com <http://i-love-kittens.blogspot.com/>" (where kitten pictures are deemed subversive or are illegal). Imagine that unique query combined with draft-ietf-dnsop-edns-client-subnet. -d > If community is not in a hurry, then in my humble opinion, standard body should look for more efficient and well thought off solution may be out of TLS. > I can volunteer for any such activity. > > Best Regards, > Dr. Muhammad Yousaf, > Assistant Professor, Faculty of Computing, > Riphah International University (RIU), Islamabad > https://sites.google.com/site/muhyousaf/ <https://sites.google.com/site/muhyousaf/> > > > > On Sunday, October 25, 2015 9:23 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote: > > > > -----Original Message----- > > From: dns-privacy [mailto:dns-privacy-bounces@ietf.org <mailto:dns-privacy-bounces@ietf.org>] On Behalf Of Paul > > Hoffman > > Sent: Friday, October 23, 2015 8:01 PM > > To: Simon Josefsson > > Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org> > > Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01 > > > > On 10/23/15, 1:35 PM, "Simon Josefsson" <simon@josefsson.org <mailto:simon@josefsson.org>> wrote: > > > > >Hi. I believe the document is in relatively good shape. I have one > > >high level concern, and one concern with the document itself that is > > >related to the higher-level concern: > > > > > >1) I believe it would be a mistake to publish this without > > >synchronizing the TLS-related aspects of DNS-over-TLS and > > >DNS-over-DTLS. The documents solve roughly the same problem, with > > >rougly the same technology. One important difference is how they > > >approach authentication of the peer in TLS. Given the similarities of > > >the protocols and solutions, this seems like a recipe for > > >implementation frustration. An implementer would prefer to implement > > >DNS-over-TLS/DTLS as similar as possible. Having different X.509 (etc) > > >certificate verification code paths depending on whether TLS or DTLS is > > >used appears bad to me. > > > > > >2) On TLS verification, this document should reference RFC 6125 and > > >describe how naming information should be compared with the locally > > >known data with what is being presented by the server. See > > >draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or > > >the most readable or complete way) of doing this. > > > > > >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another > > >possibility is that TLS-related aspects are deferred from both > > >documents to another third new document that describe how to perform > > >TLS credential verification for DNS-over-(D)TLS in a generalized way. > > >Then there would be harmony in the TLS-related aspects, and the > > >respective document can focus on the DNS-related aspects. If document > > >editor cycles is limiting factor, I would volunteer to help write this. > > > > Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to the > > IETF, it makes no sense at all to have them have different crypto properties. I > > don't care if the answer is "harmonize each before finishing" or "harmonize > > them by reference to a third document". > > https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 <https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00>discusses both TLS and DTLS profile for providing DNS privacy. > > -Tiru > > > > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org <mailto:dns-privacy@ietf.org> > https://www.ietf.org/mailman/listinfo/dns-privacy <https://www.ietf.org/mailman/listinfo/dns-privacy> > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] Start of WGLC for draft-ietf-dprive… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Wessels, Duane
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Bob Harold
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Simon Josefsson
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Ilari Liusvaara
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… 🔓Dan Wing
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Muhammad Yousaf
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… 神明達哉
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Simon Josefsson
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… 神明達哉
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… 🔓Dan Wing
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Stephane Bortzmeyer
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… sara
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… sara
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Sara Dickinson
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Mankin, Allison
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Stephane Bortzmeyer
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Mankin, Allison
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Simon Josefsson
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Tim Wicinski
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Sara Dickinson
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari
- Re: [dns-privacy] Start of WGLC for draft-ietf-dp… Warren Kumari