Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
Tony Finch <dot@dotat.at> Sat, 15 February 2014 17:24 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8959B1A01C8; Sat, 15 Feb 2014 09:24:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h57VQJrmZWeD; Sat, 15 Feb 2014 09:24:00 -0800 (PST)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f42]) by ietfa.amsl.com (Postfix) with ESMTP id 655901A00EF; Sat, 15 Feb 2014 09:24:00 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:49691) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1WEiy5-0000G7-7B (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 15 Feb 2014 17:23:57 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WEiy5-0006Xt-5Z (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 15 Feb 2014 17:23:57 +0000
Date: Sat, 15 Feb 2014 17:23:57 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20140215165256.GA21498@sources.org>
Message-ID: <alpine.LSU.2.00.1402151714050.15381@hermes-1.csi.cam.ac.uk>
References: <CAESS1RPh+UK+r=JzZ9nE_DUqcvNtZiS6TNt1CDN-C0uiU7HP=A@mail.gmail.com> <alpine.LSU.2.00.1402151448290.15381@hermes-1.csi.cam.ac.uk> <20140215165256.GA21498@sources.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/4ZjvQRAZi8wpEliyYh2UtGdlJV4
Cc: dnsop@ietf.org, perpass@ietf.org, Zi Hu <zihu@usc.edu>
Subject: Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 17:24:02 -0000
Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > On Sat, Feb 15, 2014 at 03:40:48PM +0000, > Tony Finch <dot@dotat.at> wrote > a message of 84 lines which said: > > > A DANE-like approach might work for authoritative servers. > > It is mentioned in the draft but it raises an interesting > chicken-and-egg problem when you want to secure DNS with info found in > the DNS. Very interesting :-) The resolver needs to find out that an auth server supports TLS before it sends a query. This implies that the information needs to be part of the referral. It would be wrong to shoe-horn it into the DS RRset (e.g. by adding semantics to one of the algorithm fields) since DS records relate to the zone not to the name servers. So it should go into the NS RRset - but referral NS records aren't signed! Maybe the resolver could go and ask elsewhere. This could be quite plausible for out-of-zone name servers, but it does not help for in-zone server names. Or use the reverse DNS? No palatable options that I can see :-/ Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Malin, Hebrides, Bailey: Northwest 7 to severe gale 9 decreasing 4 or 5, occasionally variable 3 later. Very rough or high, becoming rough later. Showers, squally at first. Moderate or poor becoming good.
- [DNSOP] draft-hzhwm-start-tls-for-dns-00: Startin… Zi Hu
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Wouters
- [DNSOP] meta issue: WG to discuss DNS innovation … David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Christian Grothoff
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Vixie
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Wouters
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Watson Ladd
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… John Levine
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Jay Daley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… joel jaeggli
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Olafur Gudmundsson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… George Michaelson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM