Re: [dnsext] DTLS alternative to DNS-Curve

Phillip Hallam-Baker <hallam@gmail.com> Thu, 16 September 2010 20:25 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC3603A69A7; Thu, 16 Sep 2010 13:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.292
X-Spam-Level:
X-Spam-Status: No, score=-2.292 tagged_above=-999 required=5 tests=[AWL=0.306, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SiawO+d449T; Thu, 16 Sep 2010 13:25:26 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4F3B13A6986; Thu, 16 Sep 2010 13:25:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OwKwd-000ASj-E7 for namedroppers-data0@psg.com; Thu, 16 Sep 2010 20:20:35 +0000
Received: from mail-wy0-f180.google.com ([74.125.82.180]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <hallam@gmail.com>) id 1OwKwa-000ASN-5n for namedroppers@ops.ietf.org; Thu, 16 Sep 2010 20:20:32 +0000
Received: by wyb40 with SMTP id 40so2369682wyb.11 for <namedroppers@ops.ietf.org>; Thu, 16 Sep 2010 13:20:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=neCSdu1BHQaHh918+LyOW/rPt+8gihwRZPTv5orWlLs=; b=AHWecU4Q9/ObIym+rcTLFsj7zSWo3K3JxDRWfXpcUmBKPdrxJxof6uaaE+IUVc7pe8 XUCTISwGYAGJ9ubN933Kwrq/LvP9wqWtFSR93foeJ8oEEmTLNQknlScwsLEGhYBISCyx rtVQEgv4ac81/TNNiAB0tvED3KIdI5PovmTGc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=tOKs0LD/ccvlNd4YZe0OMMDOn5EfMpOCCVc0HpGdG+C3hwSrbqZcBhUBjGYsKVJ/ZO O/kzevv282oC0j63eV9QRsUD1eqr5KtJU51Om1fKIB4lP+qHh+TG2fqdsYH0GcR29b6e 57WbZ6wKtDSSOwgwkvNUghV35utHtRQjFmP6g=
MIME-Version: 1.0
Received: by 10.216.159.72 with SMTP id r50mr3217563wek.92.1284668430941; Thu, 16 Sep 2010 13:20:30 -0700 (PDT)
Received: by 10.216.163.195 with HTTP; Thu, 16 Sep 2010 13:20:30 -0700 (PDT)
In-Reply-To: <alpine.LSU.2.00.1009162003370.31356@hermes-2.csi.cam.ac.uk>
References: <AANLkTin2xY+cAck+3sWcn8hibDrZbXLzttznGM9sRQz+@mail.gmail.com> <alpine.LSU.2.00.1009161925200.31356@hermes-2.csi.cam.ac.uk> <AANLkTikEq8KVQxzAo3e_RJOWbYvVGrXjLnVCooFs3H=q@mail.gmail.com> <alpine.LSU.2.00.1009162003370.31356@hermes-2.csi.cam.ac.uk>
Date: Thu, 16 Sep 2010 16:20:30 -0400
Message-ID: <AANLkTimD=Mcx-COzENWWd1GeESCW8hW189uRJE6eDanB@mail.gmail.com>
Subject: Re: [dnsext] DTLS alternative to DNS-Curve
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: namedroppers <namedroppers@ops.ietf.org>
Content-Type: multipart/alternative; boundary=0016364ef6fa7b01f90490662d57
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

It certainly works for updates and there is certainly a delta required to
use it for requests. My starting point for doing all this stuff was looking
at TKEY.

Now whether it is better to build on TKEY/GSSAPI or TLS/Ticket is something
we can argue about later. It is not out of the bounds of possibility that we
might want both. One of the problems of using DNS for anything at this point
is that some networks have firewalls that filter the DNS traffic and some
broadband providers intercept and redirect DNS traffic.


I think we probably agree that we can meet our requirements for servicing
client requests without going to DNSCurve and introducing a completely new
raft of crypto.


On Thu, Sep 16, 2010 at 3:05 PM, Tony Finch <dot@dotat.at>; wrote:

> On Thu, 16 Sep 2010, Phillip Hallam-Baker wrote:
>
> > I think it would take a huge amount of effort to get RFC 2930 into an
> > acceptable state. It is ten years old and like many other DNSSEC drafts
> of
> > that vintage rather vague on details.
> >
> > http://tools.ietf.org/html/rfc2930
> >
> > This is really not much more than a RR format with a vague suggestion to
> use
> > GSSAPI.
>
> It is widely deployed:
> http://technet.microsoft.com/en-us/library/cc961412.aspx
>
> It does need extending to secure queries (as well as / instead of updates)
> and to work outside the context of a kerberos realm.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO
> 7,
> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> ROUGH. RAIN THEN FAIR. GOOD.
>



-- 
Website: http://hallambaker.com/