IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-minimisation-07.txt> (DNS query name minimisation to improve privacy) to Experimental RFC

Maarten Wullink <maarten.wullink@sidn.nl> Wed, 11 November 2015 11:33 UTC

Return-Path: <maarten.wullink@sidn.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8BA21A8AF3 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 03:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.084
X-Spam-Level:
X-Spam-Status: No, score=0.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXqPx-RKyiXu for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 03:33:00 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938471A8AC1 for <dnsop@ietf.org>; Wed, 11 Nov 2015 03:32:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn-nl; c=relaxed/relaxed; h=subject:to:references:from:message-id:date:user-agent:mime-version:in-reply-to:content-type:content-transfer-encoding:x-originating-ip:x-clientproxiedby; bh=TPC+gogJQf7dF2hfWm7xbsUjlEYQG7f/9xByqU+1YVI=; b=dvbuCtGa4KH4ITxKvSCsOFQ0bX7qnQRFvJBLm0AjqYlPUqUeA6MsdTdUvvZjuFvT4TCKaVcIwnbpjFCox60N2zwHZIpkihipMt6Wu0R5UQ+YFn/fSKC9qlnU2DP4HktzulQAO0YwymB+xojB2nz46nDiMfRH+/n8U8+k4FzOFo97wMOP+2RHAksgqsXJOD0BUYkbGbxlRKLyxDCGb9PYwn4w5RGBod1jBN0JWrIpmBZU4GgBICbmNvN+W/5+x+2ogNIPZrdBUTHFxpuIn4J7JEjHXc8doPBg7b/UQUBp73B+GrTN31CvhhlvuEd2/ajfFV+tgzyru1LigCYmjqNusQ==
Received: from ka-mbx02.SIDN.local ([192.168.2.178]) by arn2-kamx.sidn.nl with ESMTP id tABBWvFh022847-tABBWvFj022847 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=CAFAIL) for <dnsop@ietf.org>; Wed, 11 Nov 2015 12:32:57 +0100
Received: from MacBook-Pro-9.local (94.198.152.219) by ka-mbx02.SIDN.local (192.168.2.178) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 11 Nov 2015 12:33:01 +0100
To: dnsop@ietf.org
References: <20151110024851.30496.62673.idtracker@ietfa.amsl.com> <20151111102301.GA25848@sources.org>
From: Maarten Wullink <maarten.wullink@sidn.nl>
Message-ID: <56432767.8040800@sidn.nl>
Date: Wed, 11 Nov 2015 12:32:55 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151111102301.GA25848@sources.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [94.198.152.219]
X-ClientProxiedBy: ka-hubcasn02.SIDN.local (192.168.2.172) To ka-mbx02.SIDN.local (192.168.2.178)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/JW_8MATH6SCLziE9XuejBWDR4sQ>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-minimisation-07.txt> (DNS query name minimisation to improve privacy) to Experimental RFC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 11:33:01 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I just read you draft about qname minimisation again and i discovered
that besides limiting the number of labels the resolver is sending to
the authoritative it also proposes to replace the qtype with "NS" when
sending queries to authoratives.

This is understandable for privacy concerns but it also makes it
impossible (or at least much more difficult) to perform security
analysis at the vantage point of the authoritive server operator such
as a ccTLD.

Detecting spamruns when the MX count/percentage is suspicious is a use
case that will no longer be possible. Other security detection algo's
will probaly also suffer.

Is this something the group discussed? and maybe something you want to
add to the security section of the draft?

Cheers,

Maarten

Op 11-11-15 om 11:23 schreef Stephane Bortzmeyer:
> On Mon, Nov 09, 2015 at 06:48:51PM -0800, The IESG
> <iesg-secretary@ietf.org> wrote a message of 35 lines which said:
> 
>> The IESG plans to make a decision in the next few weeks, and 
>> solicits final comments on this action. Please send substantive 
>> comments to the ietf@ietf.org mailing lists by 2015-11-23.
> 
> I have the personal feeling that documents with intended status 
> "Experimental" require more or less the same quantity of efforts
> and scrutiny as the ones intended for the standards track :-(
> 
> _______________________________________________ DNSOP mailing list 
> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
> 

- -- 
Maarten Wullink | Research Engineer
SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 45 | M +31 (0)6 21 26 87 55 | F +31 (0)26 352 55 05
maarten.wullink@sidn.nl | www.sidn.nl
pgp key: http://pgp.mit.edu/pks/lookup?op=get&search=0x4F2A495C4B1BF08B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJWQydkAAoJEE8qSVxLG/CLEPYH/RoQwtGRdMLbzcgWq0ZTZx2n
PQC1keF+VipvRJgHwO1Le6wn1f43GYg8KN4t0CoIU5toD06tY+C+kxRRuU0tfI+6
Qu7hfHg/MAiMMWxNcf+7HgMd9VxGB1Ul+/jJE/aGGbJ6flXd3lbaD7RnXOlMHCBM
772+KxkJlJUOe4+x2LyJsAToh9ZcVPJpfV6+hOn+GMMVMwl7IS9CSvcAF4QM0Z2+
JWKOPTdqTK00zEl667da4j1uuvA9tAEPTRiKul81heKQSVkNiihhXhkJC3MAv8iy
JFOtodL2KGlHX77xdKkJCIJyvf3psbsy5ZnNFQpODdBc0ZAunuj3TduQZNN+xV8=
=Ucga
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email