Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses

"Wiley, Glen" <> Fri, 21 March 2014 14:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 292601A09A8 for <>; Fri, 21 Mar 2014 07:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EE9glEWwunio for <>; Fri, 21 Mar 2014 07:57:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E83221A099C for <>; Fri, 21 Mar 2014 07:57:51 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID DSNKUyxTZj4Mez3ELsYKJS/; Fri, 21 Mar 2014 07:57:45 PDT
Received: from ( []) by (8.13.6/8.13.4) with ESMTP id s2LEvdqc012064 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 21 Mar 2014 10:57:41 -0400
Received: from ([::1]) by ([::1]) with mapi id 14.03.0174.001; Fri, 21 Mar 2014 10:57:38 -0400
From: "Wiley, Glen" <>
To: Stephane Bortzmeyer <>, Phillip Hallam-Baker <>
Thread-Topic: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
Thread-Index: AQHPRRWPjHMxJ/FVQkG/FXXgJ9yqq5rroZ8A
Date: Fri, 21 Mar 2014 14:57:38 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 21 Mar 2014 14:57:56 -0000

Glen Wiley

Sr. Engineer
The Hive, Verisign, Inc.

On 3/21/14 10:54 AM, "Stephane Bortzmeyer" <> wrote:

>On Wed, Mar 19, 2014 at 01:40:01PM -0400,
> Phillip Hallam-Baker <> wrote
> a message of 144 lines which said:
>> One consequence of encrypting DNS traffic is that we break backwards
>> compatibility.
>Just a reminder: "This list is for the discussion of the problem
>statement surrounding the addition of privacy to the DNS protocol."
>Privacy is the goal, encryption may be a solution. This list is
>dns-privacy, not dns-encryption.


>> Since we are going to break backwards compatibility we should take
>> the opportunity to fix some of the problems in the DNS protocol.
>I disagree with this approach: adding encryption, should we decide it,
>is more than enough work to keep an IETF mailing list active for many
>months (years?) Saying "hey, cool, the gates are open, let's try to
>push all the other stuff I want" seems a sure recipe for a second
>system failure <>.

The past decade of chatter regarding changes to DNS is a strong indicator
of the need to keep the scope of these changes tightly constrained if
there is any hope of producing consensus on a solution.

>> So I would like to require a server that supports the crypto query
>> to be required to actually implement what is written in 1035 and
>>respond to
>> multiple queries.
>RFC 1035 is quite broken here since it does not say how to set the
>status code when the different questions yield differente results. In
>the last years, several people have proposed to update RFC 1035 to
>make this scheme workable (for instance by requesting that all the
>questions use the same qname or by having several response packets, as
>you suggest) but it never went far.
>dns-privacy mailing list