[DNSOP] please review - DNS data integrity and confidentiality

"Hosnieh Rafiee" <ietf@rozanak.com> Mon, 03 March 2014 19:35 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 671001A00D7; Mon, 3 Mar 2014 11:35:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FBT5Nt2BvBCt; Mon, 3 Mar 2014 11:35:45 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE731A030D; Mon, 3 Mar 2014 11:35:45 -0800 (PST)
Received: from localhost (unknown []) by mail.rozanak.com (Postfix) with ESMTP id 121EE23E2D59; Mon, 3 Mar 2014 19:35:42 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([]) by localhost (mail.iknowlaws.de []) (amavisd-new, port 10024) with ESMTP id EWQB3SCHfICr; Mon, 3 Mar 2014 20:35:40 +0100 (CET)
Received: from kopoli (g226063187.adsl.alicedsl.de []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 1168B23E2D58; Mon, 3 Mar 2014 20:35:40 +0100 (CET)
From: "Hosnieh Rafiee" <ietf@rozanak.com>
To: <DNSOP@ietf.org>, <dnsext@ietf.org>, <Int-area@ietf.org>
Date: Mon, 3 Mar 2014 20:35:38 +0100
Message-ID: <00a201cf3717$c16b6490$44422db0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac83F74owTVGJeQTQyerKFVPi2+p0A==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/7hDjQxuWkQBuwtDBWrjK0CsTKdQ
Subject: [DNSOP] please review - DNS data integrity and confidentiality
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 19:35:47 -0000

Dear All,

CGA-TSIG (http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig ) will be
presented as a last item of intarea (Session 2014-03-04 1300-1400: Viscount)

          intarea WG Agenda
          IETF 89
          TUESDAY, March 4, 2014
          1300-1400 Tuesday Afternoon Session I

I ask you all, DNS experts, please review this draft and attend intarea
session (tomorrow , Tuesday, at 13:00 - 14:00). Even though you might have a
meeting, please try to attend the 15 last minutes of intarea since it will
be the last item that will be presented there. Please consider reviewing
this draft so that we have fruitful discussions :-)


For those who didn't read my long note:
The area that this draft covers

- secure authentication during different scenarios especially the
authentication of the resolvers, without extra efforts, and by the support
of this algorithm or during updating PTR or FQDN record in a secure manner.

- privacy and confidentiality: People in IETF are looking for a  solution
for confidentiality as I heard discussion in this group and application
area. This can be a solution for this. This is especially helpful in the
unsecure environment where you want to have a privacy while browsing
different websites. So you need to have a data encryption between the
resolver and your computer. What your computer need to know is only the IP
address of the resolver, CGA-TSIG handle the other parts. :-) 

The other use case for confidentiality is in a zone transfer scenario or
dynamic update. The data exchange between the master and slave should be
encrypted to keep these data from prying eyes.

So, this draft answers to the need of both data integrity and
confidentiality and prevent IP spoofing without extra effort.

Hope to see you all tomorrow :-)