Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dns-over-tls-07: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Wed, 16 March 2016 17:10 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7B712DA01 for <dns-privacy@ietfa.amsl.com>; Wed, 16 Mar 2016 10:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rU9nerb9orab for <dns-privacy@ietfa.amsl.com>; Wed, 16 Mar 2016 10:10:17 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15DF512DA00 for <dns-privacy@ietf.org>; Wed, 16 Mar 2016 10:10:16 -0700 (PDT)
Received: from [62.232.251.194] (port=18409 helo=virgo.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.86_1) (envelope-from <sara@sinodun.com>) id 1agExS-0007Tq-2D; Wed, 16 Mar 2016 17:10:12 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_EBC86F15-E466-44E5-BA0A-4887EE728C30"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <20160315142340.GA27831@nic.fr>
Date: Wed, 16 Mar 2016 17:10:07 +0000
Message-Id: <01505895-E083-4969-BDF1-F9659B87D02B@sinodun.com>
References: <20160315035859.11533.34536.idtracker@ietfa.amsl.com> <20160315142340.GA27831@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3112)
X-OutGoing-Spam-Status: No, score=-2.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: shcp01.hosting.zen.net.uk: sara@sinodun.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/zjipEifoAPRxGzmstp8BQl8J0Kc>
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dns-over-tls-07: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 17:10:20 -0000
> On 15 Mar 2016, at 14:23, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > >> Do (or should) the profiles have anything to say about clear-text >> fallback if a client cannot connect to the server's DNS-over-TLS >> port, or the TLS handshake fails? I infer that such fallback should >> not occur with the pinned profile, but what about the opportunistic >> profile? > > I don't want to reopen discussions on > draft-ietf-dprive-dns-over-tls-07 but may be we can improve it for > draft-ietf-dprive-dtls-and-tls-profiles-00: its definition in section > 5 does not address this issue. May be have two opportunistic > profiles, one with fallback to clear text if necessary and another > without? Hi Stephane/Ben, Note that the discussion in draft-ietf-dprive-dtls-and-tls-profiles-00 section 4.2 quotes RFC7435 directly which states that Opportunistic Security is described as “... the use of cleartext as the baseline communication security policy, with encryption and authentication negotiated and applied to the communication when available.” So at the moment that draft describes 2 profiles, a Strict one which requires authentication (or failure), or an Opportunistic one as described above. The use case for an ‘in-between’ profile that requires encryption but not authentication is debatable since it only provides limited protection from attacks. Sara.
- [dns-privacy] Ben Campbell's Yes on draft-ietf-dp… Ben Campbell
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Stephane Bortzmeyer
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Stephane Bortzmeyer
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Ben Campbell
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Sara Dickinson