Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Shumon Huque <shuque@gmail.com> Wed, 10 June 2020 11:55 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEB983A0765 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 04:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpn7wwCdV-x7 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 04:55:14 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D86053A060D for <dns-privacy@ietf.org>; Wed, 10 Jun 2020 04:55:13 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id l12so2205427ejn.10 for <dns-privacy@ietf.org>; Wed, 10 Jun 2020 04:55:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YSV2Ts1gmT8HfdmSQOYRiRmIedwULfzDgY9l/gvBVSk=; b=QoKLNrOVeHf0+74zalUH7qKWZdRlLo0Z6LIB52XjpCidaYTq/FsSg8ciWlAQG0dRi8 2fFJVtdlodoYDqnJniL3ZwOfGgyHHtDWuisLM3V3DqJY7rkrWPI7l2GZNanTeI1FNawT 6H7LPzDUmz7k+Hplc0fC+RoH01PsFFQxjzJavMdQ1o9HWEpXLG6DaXN7Z31vzuQlBuTk 9wRx4M4MVyd7wosJvQ072dG0TRQ+4mYuujSZmGlcGjx0J3GZpH8UwRTziQuwgEL8jPBJ mbzBIVsOHU31XH2ihmG9MOI/p35jX3a2XlAvkz3MlxwqAbkgi4O/u5v/174STENopr2d UmEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YSV2Ts1gmT8HfdmSQOYRiRmIedwULfzDgY9l/gvBVSk=; b=mIgeQdVmF5Ry8v++qmEHjzUFkk4zYnZm5svqWIQRxdkSr4wokl8S1FvW6T2s40zjwR 12nKaG0g2Wga5zezTXAPUkkNo37JX/3zlDvMREF1EgKylgQf2dwV/oEQnSpZ4kdA+Emf 57PDZa0Cj1Kp8yYGkpS0g8WTCKBJtGuNNrj1/xVVyngS+kPCgsPrdRk3zQTPE9b1Hhsp mA323nKUKnzYWAAYo5K8Y0pQGQpybfBql0knrQRIMW1kjccxygUgZ9tzS6Y1fUgrXZna d1V4bo0XdSENpUcVrz1W/71fwiJy9+8cEVjrP/fpOggGugAh0pJIhmA+waa4E0oeCV6v ueCA==
X-Gm-Message-State: AOAM5313TQ4FvO+qPrjeBOgnf0d2i0D+5AW/vIhNl2LKtaCHOD8X3dsH cDFSIupyvdr6EQVU5gWWYamFNw4FVrXOKACqIoA=
X-Google-Smtp-Source: ABdhPJypRoIJ2OfTxVeseJ8A7pewRFWhiBWUGLgUyEblsDvvTWIO4wR3xp1oMXPXsGIFGUA838Jp/OfPnh76NoYJuSc=
X-Received: by 2002:a17:906:840d:: with SMTP id n13mr2958332ejx.49.1591790112360; Wed, 10 Jun 2020 04:55:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdUoZVecj5Jfd6NxyJ-cRhTJTS1N8vcC5pC3uWQECLOCnQ@mail.gmail.com> <20200609183122.203851A5666F@ary.qy> <CAHPuVdVwxSG3pXNECy-2CUtR-bMG4DyQ5cYQPcnf9xNjzVGc4Q@mail.gmail.com> <b10fb7a1-08f9-9cff-f29d-3a43eec6772f@huitema.net>
In-Reply-To: <b10fb7a1-08f9-9cff-f29d-3a43eec6772f@huitema.net>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 10 Jun 2020 07:55:01 -0400
Message-ID: <CAHPuVdVJ2_DoPpb5C2ET8kEzvfDHACPNQP-2r__sVTQ76WmL4w@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000344e9205a7b984e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/tL2v7rEKuqZzgRIF0-21K3BPYxg>
Subject: Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 11:55:16 -0000
On Tue, Jun 9, 2020 at 11:43 PM Christian Huitema <huitema@huitema.net> wrote > There are two tests that matter: first, verify that the NS record is > genuine and that the designated server is indeed the server chosen by the > target domain; two, verify that the TLS connection terminates at the > specified server. It is tempting to take a shortcut and merely verify that > the TLS connection terminates at a server authorized by the target domain, > but I don't think that's a good idea. John pointed out a management issue: > the server would have to manage a large set of certificates, one for each > domain it serves. But on top of the management issue, there are also > performance issues and privacy issues. > > TLS authenticates the server during the connection handshake. That means > one authentication per connection. In the case of a resolver accessing > several domains served by the same big server, that means establishing > separate TLS connections for each target domain, instead of establishing > just one connection. That will clearly impact performances, but there is > also a privacy aspect. In the absence of SNI encryption, the SNI can be > observed. If the SNI just carries the name of the name server, no big deal. > But if it carries the name of the target domain, the exchange reveals that > this particular resolver queried that particular domain. Mix that with > observation of the traffic to the recursive resolver, and you have an > interesting privacy leak. > Hi Christian - yes, the zone name leakage issue would necessitate SNI encryption in this design. Coupled with the fact that real privacy means hiding in a large crowd (i.e. locating the zone name servers on large DNS hosters serving thousands of zones, whose name server names and addresses reveal no obvious connection to the zone name), and the resulting certificate management issues that John pointed out, this idea looks less attractive. The more I think about all the privacy leaks that have to be plugged at the DNS and application layers, Tor increasingly looks better as a general purpose solution (either as a network to funnel DNS messages through, or even better, having zone operators locate authority servers inside Tor as hidden services). It has a significant performance cost, but real privacy always does. Shumon
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine