IETF Logo Mail Archive

Re: [dns-privacy] [core] WGA call for draft-lenders-dns-over-coap

Carsten Bormann <cabo@tzi.org> Mon, 15 August 2022 17:34 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E5D9C14CF0E; Mon, 15 Aug 2022 10:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tRX3AVu6qys; Mon, 15 Aug 2022 10:34:48 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F84C15256A; Mon, 15 Aug 2022 10:34:44 -0700 (PDT)
Received: from smtpclient.apple (p5089abf5.dip0.t-ipconnect.de [80.137.171.245]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4M61cc4S50zDCdZ; Mon, 15 Aug 2022 19:34:40 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <A2829FB5-7FAB-4290-83D7-FC548CA730F1@fugue.com>
Date: Mon, 15 Aug 2022 19:34:39 +0200
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dns-privacy@ietf.org, dnsop@ietf.org, core@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <693CE6A0-9479-4265-B3D9-ADEF9EF4B959@tzi.org>
References: <CADyWQ+F2QAmZSnMAg9_-jCMXFmP7E+cdzNurU6d+tya1e9Tyjg@mail.gmail.com> <A2829FB5-7FAB-4290-83D7-FC548CA730F1@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/r0EQPjgzWhbCM0EFJgPpNPIlVpM>
Subject: Re: [dns-privacy] [core] WGA call for draft-lenders-dns-over-coap
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 17:34:50 -0000

On 15. Aug 2022, at 17:11, Ted Lemon <mellon@fugue.com> wrote:
> 
> This is a good question. I think we’d want to understand what the actual use case is for DNS-over-CoAP before proceeding with this,

The main use case is systems that already implement CoAP and do not want to add machinery for some protocols that are used only for very specific purposes.

> since DNS-over-DTLS would obviously be less costly to implement.  

I’m not sure about that, not even in the case where you already have DTLS (and certainly not where you don’t have it because you are using OSCORE).

> The stated use case of this document is to encrypt DNS packets, which is already addressed by DNS-over-DTLS, so if that’s the only motivation for this work, it doesn’t seem like something the IETF should be doing.

See above.

> I’m sure one argument for DNS-over-CoAP is that on-path caching provides some benefit, but it also quite likely breaks the semantics of DNS, so it’s not clear to me that this is actually a good idea. I suspect the thing you need to build to make this work well is a lot more complex than simply a CoAP encapsulation. If this is an important use case, then it might be better to just put a DNS cache at that point in the path; it seems unlikely that the benefit of leveraging an existing CoAP caching strategy would justify the problems such a strategy would create.

I’ll leave that to the authors; obviously, all caches have limitations, but being able to make use of CoAP caches along the way would be an improvement.

> I’d be curious to know if there’s a way to actually compress a DNS packet using CoAP, and that could then make the dns-over-coap use case more interesting. However, the current proposal doesn’t do that, so what it appears to really be doing is adding a layer of complexity and extra bytes to the packet.

That can definitely be done (for a definition of “compress” — a concise form for some DNS data might be a better approach), but it to me it seemed working out the protocol machinery first is the right way to proceed here.  (From the point of view of the CoAP protocol, this would just be a separate media type.)

Grüße, Carsten

v2.23.0 | Report a Bug | By Email