Re: [DNSOP] my dnse vision
Tim Wicinski <tjw.ietf@gmail.com> Wed, 05 March 2014 11:14 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8665A1A04B4 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 03:14:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JL9Yfo5Jwzqi for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 03:14:00 -0800 (PST)
Received: from mail-bk0-x22b.google.com (mail-bk0-x22b.google.com [IPv6:2a00:1450:4008:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 98D991A03EF for <dnsop@ietf.org>; Wed, 5 Mar 2014 03:13:57 -0800 (PST)
Received: by mail-bk0-f43.google.com with SMTP id v15so438528bkz.30 for <dnsop@ietf.org>; Wed, 05 Mar 2014 03:13:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=zwgaYQiwEpjlGmJkrLmUpCmgsBO2kdcmUe5qjFr+xm8=; b=AB56bRoq40ywT+Em7b4PSTs1+g7BlE5UZLVLTrlV1r1TC9PofoRPA33RloVhIOJoUh Q7FXD987CQl0OXa/G97XEn2/BZCArf4qiwuwjjKfF1TKyRSI5bTz+YJAuoa7drSu+c6J Uyw+J7ZGhvAH5+dJljyoXaP3FboH0/1bcdeGnzpFoggYdB0Jpd9lT3riVeHJF/K7vFrA d//cNkV2a9IMSToVy50yZP457R2HGklNMa2UvF1uDB1EM/5FIfrwazp+raHUZKvzX+iP ILH8kFkGvVLMb9TqjtXKGk9k7PX0ENqkZt7MFDP1qLdzbcJW8FIXsUCz5ueGfv5PLInH Gjbw==
X-Received: by 10.205.4.10 with SMTP id oa10mr325536bkb.154.1394018033518; Wed, 05 Mar 2014 03:13:53 -0800 (PST)
Received: from dhcp-a761.meeting.ietf.org (dhcp-a761.meeting.ietf.org. [31.133.167.97]) by mx.google.com with ESMTPSA id r1sm4451858bkk.2.2014.03.05.03.13.52 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Mar 2014 03:13:52 -0800 (PST)
Message-ID: <531706EF.3060008@gmail.com>
Date: Wed, 05 Mar 2014 11:13:51 +0000
From: Tim Wicinski <tjw.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0a2
MIME-Version: 1.0
To: Francis Dupont <Francis.Dupont@fdupont.fr>, dnsop@ietf.org
References: <201403051107.s25B7ext069332@givry.fdupont.fr>
In-Reply-To: <201403051107.s25B7ext069332@givry.fdupont.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/2-UwGw1Wty3lJfk7_y_30FKkBIM
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 11:14:02 -0000
Francis, This is some good summarizing. With your solution, you don't mention UDP. I would consider the lack of UDP an issue with moving forward at least for wide deployment. Others seem to think otherwise. I'd be interested in hearing opinions on this. The WG will help us chair form the discussion, but I still feel there is a need for a more formalized problem statement. Stephane's draft goes a long way, do we think it covers all the bases? tim On 3/5/14, 11:07 AM, Francis Dupont wrote: > >From discussions with Stephane Bortzmeyer and Mark Andrews... > > First I come back to the fact there are two different problems > (aka divide and conquer): > * stubs <-> resolver > * resolver <-> auth servers > > I consider the first one to be already solved, cf. the Microsoft > deployed solution which puts clients, local networks, the resolver > (also the Microsoft Domain Server :-), in the same area and uses > IPsec to protect it. You can do other ways but IMHO we can assume > you don't need confidentiality with far or untrusted resolvers. > Or with other words you don't need confidentiality with 8.8.8.8 > > So we have the second (and *hard*) problem to address. > A thing we can do now is to minimize qnames (Stephane should > write a dedicated draft about this): it doesn't change the protocol, > and IMHO to change referrals by direct queries about name servers > should not be a bad thing. > > The last step is to design an encryption solution. > My requirements are: > > 1- the solution SHOULD NOT add extra round trips > > 2- the solution MUST NOT add per client state on servers > > 3- the solution MUST work without prior arrangements > > In details: 1- is about extra delays but for higher level domains > a validating resolver will anyway make other related requests > so the extra delays will be diluted. > 2- is about scalability and anycast, e.g., we want the solution > to work with a common setup where requests are load-balanced > between multiple server instances. Note the keyword is "state", > we can accept a state associated with a TCP connection but > a solution relying on even medium key TTL should be rejected. > 3- is common sense, and includes circular dependencies if > for instance the server public key is itself delivered through > the DNS. > > At the other hand we only need a weak (== not very strong) protection > against passive attacks, so it doesn't matter that the standard mutually > authenticated Diffie-Hellman + symmetical A+E cipher doesn't fit. > > Regards > > Francis.Dupont@fdupont.fr > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Miek Gieben
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Dan York
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Francis Dupont
- [DNSOP] my dnse vision Francis Dupont
- [DNSOP] QUIC for DNS confidentiality (Was: my dns… Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Wessels, Duane
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] QUIC for DNS confidentiality (Was: my… Tim Wicinski
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] deploying security Francis Dupont
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Mark Andrews