Re: [dnsext] DTLS alternative to DNS-Curve
Phillip Hallam-Baker <hallam@gmail.com> Thu, 16 September 2010 20:25 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC3603A69A7; Thu, 16 Sep 2010 13:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.292
X-Spam-Level:
X-Spam-Status: No, score=-2.292 tagged_above=-999 required=5 tests=[AWL=0.306, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SiawO+d449T; Thu, 16 Sep 2010 13:25:26 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4F3B13A6986; Thu, 16 Sep 2010 13:25:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OwKwd-000ASj-E7 for namedroppers-data0@psg.com; Thu, 16 Sep 2010 20:20:35 +0000
Received: from mail-wy0-f180.google.com ([74.125.82.180]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <hallam@gmail.com>) id 1OwKwa-000ASN-5n for namedroppers@ops.ietf.org; Thu, 16 Sep 2010 20:20:32 +0000
Received: by wyb40 with SMTP id 40so2369682wyb.11 for <namedroppers@ops.ietf.org>; Thu, 16 Sep 2010 13:20:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=neCSdu1BHQaHh918+LyOW/rPt+8gihwRZPTv5orWlLs=; b=AHWecU4Q9/ObIym+rcTLFsj7zSWo3K3JxDRWfXpcUmBKPdrxJxof6uaaE+IUVc7pe8 XUCTISwGYAGJ9ubN933Kwrq/LvP9wqWtFSR93foeJ8oEEmTLNQknlScwsLEGhYBISCyx rtVQEgv4ac81/TNNiAB0tvED3KIdI5PovmTGc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=tOKs0LD/ccvlNd4YZe0OMMDOn5EfMpOCCVc0HpGdG+C3hwSrbqZcBhUBjGYsKVJ/ZO O/kzevv282oC0j63eV9QRsUD1eqr5KtJU51Om1fKIB4lP+qHh+TG2fqdsYH0GcR29b6e 57WbZ6wKtDSSOwgwkvNUghV35utHtRQjFmP6g=
MIME-Version: 1.0
Received: by 10.216.159.72 with SMTP id r50mr3217563wek.92.1284668430941; Thu, 16 Sep 2010 13:20:30 -0700 (PDT)
Received: by 10.216.163.195 with HTTP; Thu, 16 Sep 2010 13:20:30 -0700 (PDT)
In-Reply-To: <alpine.LSU.2.00.1009162003370.31356@hermes-2.csi.cam.ac.uk>
References: <AANLkTin2xY+cAck+3sWcn8hibDrZbXLzttznGM9sRQz+@mail.gmail.com> <alpine.LSU.2.00.1009161925200.31356@hermes-2.csi.cam.ac.uk> <AANLkTikEq8KVQxzAo3e_RJOWbYvVGrXjLnVCooFs3H=q@mail.gmail.com> <alpine.LSU.2.00.1009162003370.31356@hermes-2.csi.cam.ac.uk>
Date: Thu, 16 Sep 2010 16:20:30 -0400
Message-ID: <AANLkTimD=Mcx-COzENWWd1GeESCW8hW189uRJE6eDanB@mail.gmail.com>
Subject: Re: [dnsext] DTLS alternative to DNS-Curve
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: namedroppers <namedroppers@ops.ietf.org>
Content-Type: multipart/alternative; boundary="0016364ef6fa7b01f90490662d57"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
It certainly works for updates and there is certainly a delta required to use it for requests. My starting point for doing all this stuff was looking at TKEY. Now whether it is better to build on TKEY/GSSAPI or TLS/Ticket is something we can argue about later. It is not out of the bounds of possibility that we might want both. One of the problems of using DNS for anything at this point is that some networks have firewalls that filter the DNS traffic and some broadband providers intercept and redirect DNS traffic. I think we probably agree that we can meet our requirements for servicing client requests without going to DNSCurve and introducing a completely new raft of crypto. On Thu, Sep 16, 2010 at 3:05 PM, Tony Finch <dot@dotat.at> wrote: > On Thu, 16 Sep 2010, Phillip Hallam-Baker wrote: > > > I think it would take a huge amount of effort to get RFC 2930 into an > > acceptable state. It is ten years old and like many other DNSSEC drafts > of > > that vintage rather vague on details. > > > > http://tools.ietf.org/html/rfc2930 > > > > This is really not much more than a RR format with a vague suggestion to > use > > GSSAPI. > > It is widely deployed: > http://technet.microsoft.com/en-us/library/cc961412.aspx > > It does need extending to secure queries (as well as / instead of updates) > and to work outside the context of a kerberos realm. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO > 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD. > -- Website: http://hallambaker.com/
- [dnsext] DTLS alternative to DNS-Curve Phillip Hallam-Baker
- Re: [dnsext] DTLS alternative to DNS-Curve Tony Finch
- Re: [dnsext] DTLS alternative to DNS-Curve Phillip Hallam-Baker
- Re: [dnsext] DTLS alternative to DNS-Curve Tony Finch
- Re: [dnsext] DTLS alternative to DNS-Curve Phillip Hallam-Baker
- Re: [dnsext] DTLS alternative to DNS-Curve Nicholas Weaver
- Re: [dnsext] DTLS alternative to DNS-Curve Joe Abley
- Re: [dnsext] DTLS alternative to DNS-Curve Paul Vixie
- Re: [dnsext] DTLS alternative to DNS-Curve Paul Vixie