Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]

Tony Finch <dot@dotat.at> Thu, 20 March 2014 15:07 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC0E1A0758 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 08:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqWwZH82JQ64 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 08:06:58 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f50]) by ietfa.amsl.com (Postfix) with ESMTP id 317A91A06D2 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 08:06:58 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:43527) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1WQeYS-0004QZ-sc (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 20 Mar 2014 15:06:48 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WQeYS-0006zu-SF (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 20 Mar 2014 15:06:48 +0000
Date: Thu, 20 Mar 2014 15:06:48 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20140320142020.GA12147@sources.org>
Message-ID: <alpine.LSU.2.00.1403201425560.30415@hermes-1.csi.cam.ac.uk>
References: <20140320103354.GA14856@nic.fr> <alpine.LSU.2.00.1403201044100.31260@hermes-1.csi.cam.ac.uk> <20140320142020.GA12147@sources.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/qTBGJM_ceLlUtFrgjWdOUN1ugvo
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 15:07:01 -0000

Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>
> >    Another note is that the answer to the NS query, unlike the referral
> >    sent when the question is a full qname, is in the Answer section, not
> >    in the Authoritative section.
>
> Also a poor wording since it is the Authority section, not the
> Authoritative one. (Which, by the way, answers your concern.)

I'm not worried about the spelling error: it is wrong to say that an NS
query sent to parent name servers gets an answer rather than a referral.
For example:

; <<>> DiG 9.10.0b1 <<>> +norec +noadditional ns ac.uk @nsa.nic.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3480
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ac.uk.                         IN      NS

;; AUTHORITY SECTION:
ac.uk.                  172800  IN      NS      auth03.ns.uu.net.
ac.uk.                  172800  IN      NS      ns3.ja.net.
ac.uk.                  172800  IN      NS      ns2.ja.net.
ac.uk.                  172800  IN      NS      ws-fra1.win-ip.dfn.de.
ac.uk.                  172800  IN      NS      ns1.surfnet.nl.
ac.uk.                  172800  IN      NS      ns4.ja.net.
ac.uk.                  172800  IN      NS      ns0.ja.net.

;; Query time: 14 msec
;; SERVER: 2001:502:ad09::3#53(2001:502:ad09::3)
;; WHEN: Thu Mar 20 14:27:41 GMT 2014
;; MSG SIZE  rcvd: 202

; <<>> DiG 9.10.0b1 <<>> +norec +noadditional ns ac.uk @ns0.ja.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28108
;; flags: qr aa; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ac.uk.                         IN      NS

;; ANSWER SECTION:
ac.uk.                  86400   IN      NS      ns0.ja.net.
ac.uk.                  86400   IN      NS      ws-fra1.win-ip.dfn.de.
ac.uk.                  86400   IN      NS      ns3.ja.net.
ac.uk.                  86400   IN      NS      ns2.ja.net.
ac.uk.                  86400   IN      NS      ns4.ja.net.
ac.uk.                  86400   IN      NS      auth03.ns.uu.net.
ac.uk.                  86400   IN      NS      ns1.surfnet.nl.

;; Query time: 6 msec
;; SERVER: 2001:630:0:8::14#53(2001:630:0:8::14)
;; WHEN: Thu Mar 20 14:27:34 GMT 2014
;; MSG SIZE  rcvd: 466


> Following the general principle of DNS RFCs, I do not think it would
> be wise to specify an algorithm for resolution with qname
> minimisation, since there is none for traditional resolution.

RFC 1034 section 4.3.2.

> >   fr          IN NS ?
> >   ratp.fr     IN NS ?
> >   www.ratp.fr IN NS ?
> >   www.ratp.fr IN A ?
> >   www.ratp.fr IN AAAA ?
>
> You did not mention the zone which will receive the queries. The third
> query will work, even with the broken Alteon load balancers, since it
> will be sent to the NS of ratp.fr.

Right.

> > Or should you skip the third query?
>
> It MAY (RFC 2119) be skipped since a zone cut is not possible because
> there is just one label more than the previous name.

But there *is* a zone cut here.

> > Skipping the third query would improve latency in most cases (when
> > there isn't a zone cut at the leaf), but it leads to leakage. For
> > example, consider a domain like google.com: do you want the .com
> > name servers to know if you are sending mail to Google, rather than
> > just looking at their web site?
>
> I do not understand. Do you refer to gmail.com/google.com?

No, I mean, if I go to http://google.com in my browser, I will make A and
AAAA queries for google.com, but if I send mail to a Google employee I
will make MX queries for google.com.

So if you skip the NS query for google.com (because it is the whole of the
QNAME in this case) you will leak the A vs MX difference to the .com
servers.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Viking: Southwest 7 to severe gale 9. Rough or very rough. Rain then showers.
Moderate or good.