Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS

Watson Ladd <> Sat, 15 February 2014 16:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 10EDF1A015F; Sat, 15 Feb 2014 08:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p8RqPDljYiy2; Sat, 15 Feb 2014 08:44:29 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::22a]) by (Postfix) with ESMTP id 280051A0151; Sat, 15 Feb 2014 08:44:29 -0800 (PST)
Received: by with SMTP id a41so12954194yho.29 for <multiple recipients>; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=18N+ranM0ekuYBHJFBUWL9Cvl+tr7p8mdnsBf4AzZiU=; b=XYYcg+JnKYkyGLKhVJFKb8lPoHNyYz1jGA2KOkOSMtU8BZ5DYVca3J56VMtkMiyTgK 7C+D8uVLqstmSNsK3anIn7As5ZyvnacTYqXSnqdTO/vi/okpvR6b9igswf8CK2RIAKPq aI0Re6vwu2Nqjq7gXlXzR5nqX118Dt96Y3B9d9AhxzVWQAw/zylaGTEBRjpGG9+g746F vSvsjmeQqQprhUHAqt7aSkAJGgF43g/YCXR/4NxHTycXOfJbqw0vULtVBYOIU/HG7bPf 40WSuvmmCxEt5PNhGt00Gt6f0bg+Ewi6lOzUzcSG6pUGPvBGJ+N3Xeej7pQ2USgic9SQ e+JQ==
MIME-Version: 1.0
X-Received: by with SMTP id n79mr9849734yhf.46.1392482667133; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
Received: by with HTTP; Sat, 15 Feb 2014 08:44:27 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Sat, 15 Feb 2014 08:44:27 -0800
Message-ID: <>
From: Watson Ladd <>
To: Stephane Bortzmeyer <>
Content-Type: text/plain; charset=UTF-8
X-Mailman-Approved-At: Sun, 16 Feb 2014 18:51:54 -0800
Cc:, Paul Vixie <>,, Zi Hu <>
Subject: Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Feb 2014 16:44:31 -0000

Dear all,
This proposal has multiple shortcomings compared to DNSCurve.

First off, it says that the rationale for TLS over DNSCurve is simply
to "take advantage of TLS". I would respectfully submit that DJB can
do a better job than the TLS committee, and did. Merely adding bolts
and nuts onto a design is not improving it.

Secondly, this proposal only works on TCP. This imposes latency and
state requirements that most people would rather avoid. The use of
keepalive only addresses computational burden, not state burden, and
with the DH speed records we have today unnecessary.

Thirdly, this proposal ignores entirely how to validate the server
over the TLS connection. Does it need a certificate? Who should be
allowed to sign it? How should it be validated? DNSSEC provides a PKI,
and this proposal provides another one. Their interactions will not be

Fourthly, there is substantial operational knowledge and deployed,
working, code implementing DNSCurve. This does not hold for this

Watson Ladd