IETF Logo Mail Archive

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 13 December 2016 15:42 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7B6129407 for <dns-privacy@ietfa.amsl.com>; Tue, 13 Dec 2016 07:42:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.796
X-Spam-Level:
X-Spam-Status: No, score=-9.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdlU4LflkdWD for <dns-privacy@ietfa.amsl.com>; Tue, 13 Dec 2016 07:42:05 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 511FE1293FD for <dns-privacy@ietf.org>; Tue, 13 Dec 2016 07:42:05 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 970F92801C0; Tue, 13 Dec 2016 16:42:03 +0100 (CET)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id 918F328010E; Tue, 13 Dec 2016 16:42:03 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay2.nic.fr (Postfix) with ESMTP id 8F9ACB3800C; Tue, 13 Dec 2016 16:41:33 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 149D43FC09; Tue, 13 Dec 2016 16:41:33 +0100 (CET)
Date: Tue, 13 Dec 2016 16:41:33 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Shane Kerr <shane@time-travellers.org>
Message-ID: <20161213154133.prn6h7rdwk7md5aj@nic.fr>
References: <20161213105936.opaqw6hwwkx3txk2@nic.fr> <20161213154625.6b314fe6@pallas.home.time-travellers.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20161213154625.6b314fe6@pallas.home.time-travellers.org>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.7.0-1-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20161126 (1.7.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/pU1-MBsSZ7QRvuxuluXtRxnj5jk>
Cc: dns-privacy@ietf.org, Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: [dns-privacy] [Step 2] More discussion needed: state your opinion
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 15:42:08 -0000

On Tue, Dec 13, 2016 at 03:46:25PM +0100,
 Shane Kerr <shane@time-travellers.org> wrote 
 a message of 120 lines which said:

> I think that TLS may be more painful in the resolver-to-auth case,
> as TCP Fast Open will be generally less useful, right?

Same thing (even worse) for persistent TCP connections.

But the problem is made less serious by the huge concentration of
authoritative name servers (this concentration is a bad thing, but it
helps for clients who maintain per-server state, which would be the
case with TCP Fast Open). Among the Alexa top 100k, only 24 k servers
<https://blog.imirhil.fr/2015/02/18/vie-privee-dns.html>

> IIRC the idea of using IPsec was also discussed somewhere. IIRC,
> IPsec may have problems traversing NAT. It is also usually
> implemented by the kernel, which may cause deployment issues. I
> *want* IPsec to be an option here, but realistically I don't think
> it is.

Eric Rescorla talked about it at the London BoF
<https://www.ietf.org/proceedings/89/slides/slides-89-dnse-5.pdf>

> The other alternative is to invent some novel crypto (fun but
> ill-advised)

This was the opinion defended by Mukund Sivaraman at the Seoul
meeting, and this is why draft-krecicki-dprive-dnsenc is mentioned in
my draft (there is also draft-wijngaards-dnsop-confidentialdns).

> AIUI the draft, if we want to use DNS the problem is that we want to
> know how to encrypt a session to a name server, but we can't look up
> anything about the name server in the DNS because we don't yet know
> how to encrypt a session to the name server.

I disagree. We can look up without keys. It just has to be without
privacy. See for instance the discussion on
draft-ietf-dprive-dtls-and-tls-profiles, specially
<https://mailarchive.ietf.org/arch/msg/dns-privacy/U9bGDAOReP_zYc4tPZY4AdWc2eM>

> * keys must be shared across administrative boundaries (that is, if
>   I use Dyn and FreeDNS for hosting, then both hosters can
>   impersonate the other or decrypt traffic to the other)

This is for me a stopper.

v2.23.0 | Report a Bug | By Email