Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-minimisation-07.txt> (DNS query name minimisation to improve privacy) to Experimental RFC
Maarten Wullink <maarten.wullink@sidn.nl> Wed, 11 November 2015 11:33 UTC
Return-Path: <maarten.wullink@sidn.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8BA21A8AF3 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 03:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.084
X-Spam-Level:
X-Spam-Status: No, score=0.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXqPx-RKyiXu for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 03:33:00 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938471A8AC1 for <dnsop@ietf.org>; Wed, 11 Nov 2015 03:32:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn-nl; c=relaxed/relaxed; h=subject:to:references:from:message-id:date:user-agent:mime-version:in-reply-to:content-type:content-transfer-encoding:x-originating-ip:x-clientproxiedby; bh=TPC+gogJQf7dF2hfWm7xbsUjlEYQG7f/9xByqU+1YVI=; b=dvbuCtGa4KH4ITxKvSCsOFQ0bX7qnQRFvJBLm0AjqYlPUqUeA6MsdTdUvvZjuFvT4TCKaVcIwnbpjFCox60N2zwHZIpkihipMt6Wu0R5UQ+YFn/fSKC9qlnU2DP4HktzulQAO0YwymB+xojB2nz46nDiMfRH+/n8U8+k4FzOFo97wMOP+2RHAksgqsXJOD0BUYkbGbxlRKLyxDCGb9PYwn4w5RGBod1jBN0JWrIpmBZU4GgBICbmNvN+W/5+x+2ogNIPZrdBUTHFxpuIn4J7JEjHXc8doPBg7b/UQUBp73B+GrTN31CvhhlvuEd2/ajfFV+tgzyru1LigCYmjqNusQ==
Received: from ka-mbx02.SIDN.local ([192.168.2.178]) by arn2-kamx.sidn.nl with ESMTP id tABBWvFh022847-tABBWvFj022847 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=CAFAIL) for <dnsop@ietf.org>; Wed, 11 Nov 2015 12:32:57 +0100
Received: from MacBook-Pro-9.local (94.198.152.219) by ka-mbx02.SIDN.local (192.168.2.178) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 11 Nov 2015 12:33:01 +0100
To: dnsop@ietf.org
References: <20151110024851.30496.62673.idtracker@ietfa.amsl.com> <20151111102301.GA25848@sources.org>
From: Maarten Wullink <maarten.wullink@sidn.nl>
Message-ID: <56432767.8040800@sidn.nl>
Date: Wed, 11 Nov 2015 12:32:55 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151111102301.GA25848@sources.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [94.198.152.219]
X-ClientProxiedBy: ka-hubcasn02.SIDN.local (192.168.2.172) To ka-mbx02.SIDN.local (192.168.2.178)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/JW_8MATH6SCLziE9XuejBWDR4sQ>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-minimisation-07.txt> (DNS query name minimisation to improve privacy) to Experimental RFC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 11:33:01 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I just read you draft about qname minimisation again and i discovered that besides limiting the number of labels the resolver is sending to the authoritative it also proposes to replace the qtype with "NS" when sending queries to authoratives. This is understandable for privacy concerns but it also makes it impossible (or at least much more difficult) to perform security analysis at the vantage point of the authoritive server operator such as a ccTLD. Detecting spamruns when the MX count/percentage is suspicious is a use case that will no longer be possible. Other security detection algo's will probaly also suffer. Is this something the group discussed? and maybe something you want to add to the security section of the draft? Cheers, Maarten Op 11-11-15 om 11:23 schreef Stephane Bortzmeyer: > On Mon, Nov 09, 2015 at 06:48:51PM -0800, The IESG > <iesg-secretary@ietf.org> wrote a message of 35 lines which said: > >> The IESG plans to make a decision in the next few weeks, and >> solicits final comments on this action. Please send substantive >> comments to the ietf@ietf.org mailing lists by 2015-11-23. > > I have the personal feeling that documents with intended status > "Experimental" require more or less the same quantity of efforts > and scrutiny as the ones intended for the standards track :-( > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > - -- Maarten Wullink | Research Engineer SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM T +31 (0)26 352 55 45 | M +31 (0)6 21 26 87 55 | F +31 (0)26 352 55 05 maarten.wullink@sidn.nl | www.sidn.nl pgp key: http://pgp.mit.edu/pks/lookup?op=get&search=0x4F2A495C4B1BF08B -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJWQydkAAoJEE8qSVxLG/CLEPYH/RoQwtGRdMLbzcgWq0ZTZx2n PQC1keF+VipvRJgHwO1Le6wn1f43GYg8KN4t0CoIU5toD06tY+C+kxRRuU0tfI+6 Qu7hfHg/MAiMMWxNcf+7HgMd9VxGB1Ul+/jJE/aGGbJ6flXd3lbaD7RnXOlMHCBM 772+KxkJlJUOe4+x2LyJsAToh9ZcVPJpfV6+hOn+GMMVMwl7IS9CSvcAF4QM0Z2+ JWKOPTdqTK00zEl667da4j1uuvA9tAEPTRiKul81heKQSVkNiihhXhkJC3MAv8iy JFOtodL2KGlHX77xdKkJCIJyvf3psbsy5ZnNFQpODdBc0ZAunuj3TduQZNN+xV8= =Ucga -----END PGP SIGNATURE-----
- [DNSOP] Last Call: <draft-ietf-dnsop-qname-minimi… The IESG
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-mi… Stephane Bortzmeyer
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-mi… Maarten Wullink
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-qname-mi… Stephane Bortzmeyer