IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Joe Abley <jabley@hopcount.ca> Sat, 06 July 2019 22:39 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBA41200F1 for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 15:39:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvD-8JIdKkIo for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 15:39:57 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C68F1200D5 for <dnsop@ietf.org>; Sat, 6 Jul 2019 15:39:57 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id m8so2905789lji.7 for <dnsop@ietf.org>; Sat, 06 Jul 2019 15:39:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=e4+jv+mmCkKmo5vKI/GnitgZSUH5QEVd2aALHu79Y6Y=; b=gBa7tb81Eb+T1bHx6X3aiWB3RgBKZvB0vot2VSaWwtZbHDdXcR1A53HYGzdFz52EEA LzaRdSAPX85QzmcGV57EfytTXSD08yQnSL7Fe/kp5n1B1BcXgARM95xOP2ZzwFUM8K1E 0OLV5cWY5E4QN2WTFddyCAo4Jhpt5sCw3eqvw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=e4+jv+mmCkKmo5vKI/GnitgZSUH5QEVd2aALHu79Y6Y=; b=DCZ4sySgBXmKjlkCoAeA/qHViWjtbKWED7N1RoRt1k/Pn1/ieOB6oM09g72NTZotak xcOapkJ+/oMMf8k6JhF1ZNPEifrk3inKlcWMfwYFoMVsjEwuMbe3mMXyrQqzdZlppVAD hWRTxHXaLq6lqv+0YPOztbqaxcc48T1QKGwR9uqxlHHOSAmS1frdt6QkNkE719eCDuwo qhRv0wsUOztLm6zcUXPywvwvA+l1fWAvHHLpdSi87SWcowgGxJ3rLfyZGePJYw2VxAwY fvpBBJ9GtkXJE9Wt8St+AFwAqo/RS3PhKnwZYCQavVakRxkJWK7B2h55DxfevwdQFTJy IERA==
X-Gm-Message-State: APjAAAUgcEI76+NE5vFbqqqdSL6pzkbS9HWlslrBEQzFH9qhio+EZC6J hxaWiMCegqqctbKQilAFyBnx/KMQnIo/fqynxaic8Q==
X-Google-Smtp-Source: APXvYqw9Cny8tcfl0zpJmzelNlsLjbT4nG6WcBOdJcKWPYtQNyzmNTSbiUMo7Hcb3+YPahhH0VW3A1SjJnK9m+7BMaw=
X-Received: by 2002:a2e:96d5:: with SMTP id d21mr6081692ljj.170.1562452795283; Sat, 06 Jul 2019 15:39:55 -0700 (PDT)
Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Sat, 6 Jul 2019 15:39:53 -0700
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
References: <20190706213024.GA56650@isc.org>
In-Reply-To: <20190706213024.GA56650@isc.org>
Date: Sat, 06 Jul 2019 15:39:53 -0700
Message-ID: <CAJhMdTMwCiAS+S_j-i3BXPZ=G1zVhAq+YKH07RsDWRgezPhejg@mail.gmail.com>
To: Evan Hunt <each@isc.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6ln8lOGeJ_Td2edjLvpCr2A23AM>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 22:40:00 -0000

Hi Evan!

On Jul 6, 2019, at 17:30, Evan Hunt <each@isc.org> wrote:

> More recently, Witold Krecicki had a very similar idea for a mechanism to
> disseminate private key data between primary and secondary servers.  We
> talked it over and decided to expand the NOTE record semantics into a
> generic method for storing and transferring covert in-band zone data.

What's the use-case for using the DNS to transfer private key data?

At first glance it seems to me that there are a lot of alternative
mechanisms, many of which seem less likely to leak confidential data
than using a protocol that has only really ever been deployed to make
information public.

If there's a good reason to use the DNS for this your proposal seems
like a plausible way to do it (I haven't read it in detail, but you
know what you're doing and I'm sure it's good stuff). It's that first
if that gives me pause.


Joe

v2.23.0 | Report a Bug | By Email