Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
Watson Ladd <watsonbladd@gmail.com> Sat, 15 February 2014 16:44 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EDF1A015F; Sat, 15 Feb 2014 08:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p8RqPDljYiy2; Sat, 15 Feb 2014 08:44:29 -0800 (PST)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 280051A0151; Sat, 15 Feb 2014 08:44:29 -0800 (PST)
Received: by mail-yh0-f42.google.com with SMTP id a41so12954194yho.29 for <multiple recipients>; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=18N+ranM0ekuYBHJFBUWL9Cvl+tr7p8mdnsBf4AzZiU=; b=XYYcg+JnKYkyGLKhVJFKb8lPoHNyYz1jGA2KOkOSMtU8BZ5DYVca3J56VMtkMiyTgK 7C+D8uVLqstmSNsK3anIn7As5ZyvnacTYqXSnqdTO/vi/okpvR6b9igswf8CK2RIAKPq aI0Re6vwu2Nqjq7gXlXzR5nqX118Dt96Y3B9d9AhxzVWQAw/zylaGTEBRjpGG9+g746F vSvsjmeQqQprhUHAqt7aSkAJGgF43g/YCXR/4NxHTycXOfJbqw0vULtVBYOIU/HG7bPf 40WSuvmmCxEt5PNhGt00Gt6f0bg+Ewi6lOzUzcSG6pUGPvBGJ+N3Xeej7pQ2USgic9SQ e+JQ==
MIME-Version: 1.0
X-Received: by 10.236.94.243 with SMTP id n79mr9849734yhf.46.1392482667133; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
Received: by 10.170.164.212 with HTTP; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
In-Reply-To: <20140215140133.GA6990@sources.org>
References: <CAESS1RPh+UK+r=JzZ9nE_DUqcvNtZiS6TNt1CDN-C0uiU7HP=A@mail.gmail.com> <52FEF407.30405@redbarn.org> <20140215140133.GA6990@sources.org>
Date: Sat, 15 Feb 2014 08:44:27 -0800
Message-ID: <CACsn0cn=B201xpoMLhEpwhj_NRtG64zQQyoS7eCf_8-0cmeHFQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/AM-qa9zFX59DBdxoxT6gepJu3W4
X-Mailman-Approved-At: Sun, 16 Feb 2014 18:51:54 -0800
Cc: dnsop@ietf.org, Paul Vixie <paul@redbarn.org>, perpass@ietf.org, Zi Hu <zihu@usc.edu>
Subject: Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 16:44:31 -0000
Dear all, This proposal has multiple shortcomings compared to DNSCurve. First off, it says that the rationale for TLS over DNSCurve is simply to "take advantage of TLS". I would respectfully submit that DJB can do a better job than the TLS committee, and did. Merely adding bolts and nuts onto a design is not improving it. Secondly, this proposal only works on TCP. This imposes latency and state requirements that most people would rather avoid. The use of keepalive only addresses computational burden, not state burden, and with the DH speed records we have today unnecessary. Thirdly, this proposal ignores entirely how to validate the server over the TLS connection. Does it need a certificate? Who should be allowed to sign it? How should it be validated? DNSSEC provides a PKI, and this proposal provides another one. Their interactions will not be fun. Fourthly, there is substantial operational knowledge and deployed, working, code implementing DNSCurve. This does not hold for this proposal. Sincerely, Watson Ladd
- [DNSOP] draft-hzhwm-start-tls-for-dns-00: Startin… Zi Hu
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Wouters
- [DNSOP] meta issue: WG to discuss DNS innovation … David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Christian Grothoff
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Vixie
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Wouters
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Watson Ladd
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… John Levine
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Jay Daley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… joel jaeggli
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Olafur Gudmundsson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… George Michaelson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM