[DNSOP] Re: Light weight encrypted DNS proposal

"libor.peltan" <libor.peltan@nic.cz> Thu, 15 August 2024 16:09 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9C3C1522A0 for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 09:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0spQfKNPrQc for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 09:09:16 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 136E2C14F71F for <dnsop@ietf.org>; Thu, 15 Aug 2024 09:09:15 -0700 (PDT)
Received: from [IPV6:2001:4c4d:1703:7d00:57c6:b368:b6ba:9203] (20014C4D17037D0057C6B368B6BA9203.dsl.pool.telekom.hu [IPv6:2001:4c4d:1703:7d00:57c6:b368:b6ba:9203]) by mail.nic.cz (Postfix) with ESMTPSA id 980311C118E; Thu, 15 Aug 2024 18:09:12 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1723738152; bh=5EIDJ7RcH9fDkNwYihXIfA7s1mlaJdNuOtHShWPkFoM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Reply-To: Subject:To:Cc; b=VcfhQ3AdI040pzDOiat5r/gd6Yq5Ehj1RMnV0ef4SlJEUFiP/jaH+o7IH2znB46XZ O7DnfPQEfbr4J0jCxrd1Y409NTE/RtbS/1SSh0pSZp06o7rBjMDW0ZGrTQWqeFE6lY J89nCutOMk8LjjWOZI5O8IlOCfbS7IVlxsxU88Ok=
Message-ID: <f34197ab-fdfc-4de0-a759-1d7dd8fa6a6d@nic.cz>
Date: Thu, 15 Aug 2024 18:09:10 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Peter Thomassen <peter@desec.io>, Vint Joseph <vintjoseph871@gmail.com>, dnsop@ietf.org
References: <CACWojzWRoVgMzTfu_LtOKEaky+LjqfrtrxjiQCmU3B3dFHVTQw@mail.gmail.com> <7ac5ae5d-0eaa-48a5-80d5-65df9a15f3c2@desec.io>
Content-Language: en-US
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <7ac5ae5d-0eaa-48a5-80d5-65df9a15f3c2@desec.io>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Spamd-Result: default: False [-3.60 / 20.00]; BAYES_HAM(-5.00)[100.00%]; SUSPICIOUS_RECIPS(1.50)[]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TAGGED_RCPT(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:5483, ipnet:2001:4c48::/29, country:HU]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ZERO(0.00)[0]; TO_DN_SOME(0.00)[]; FREEMAIL_TO(0.00)[desec.io,gmail.com,ietf.org]; MID_RHS_MATCH_FROM(0.00)[]; NEURAL_HAM(-0.00)[-0.258]; FROM_HAS_DN(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]
X-Rspamd-Action: no action
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 980311C118E
X-Spamd-Bar: ---
Message-ID-Hash: M5JQCUMJ2GQXR5BUOIWVUNHFAB2JGT5B
X-Message-ID-Hash: M5JQCUMJ2GQXR5BUOIWVUNHFAB2JGT5B
X-MailFrom: libor.peltan@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "mohit06jan@gmail.com" <mohit06jan@gmail.com>, "ethan.hamadeh@gmail.com" <ethan.hamadeh@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Light weight encrypted DNS proposal
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RPgH0vp5HL5Y9z9m6yRp4gHTGlM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi,

it was not declared if this is intended for client-to-resolver DNS or 
resolver-to-authoritative DNS. If the latter, it looks like just another 
method of DoE, and like any of those, can be solvable (only?) by DELEG.

I'd like to see the direct comparison against DoQ. I understand that 
this should be more lightweight. On the other hand, DoQ is already 
invented and being implemented, with some hope to succeed. So I don't 
feel motivated to look around for alternatives.

Libor

Dne 15. 08. 24 v 12:14 Peter Thomassen napsal(a):
> Hi Vint,
>
> On 8/15/24 00:06, Vint Joseph wrote:
>> The core idea/synopsis
>> We plan to implement a system using elliptic curve cryptography. A 
>> preshared key, referred to as the public key G^S, is distributed from 
>> the dns server to the client.
>
> How?
>
> Best,
> Peter
>
>> The server retains the private key S and the corresponding public key 
>> G^S, while the client receives the public key G^S. When the client 
>> needs a DNS response, it generates a key pair consisting of a private 
>> key C and a public key G^C. The client then sends a DNS request 
>> encrypted with the shared key G^CS and includes its public key G^C in 
>> the DNS extension. Upon receiving the public key G^C, the DNS server 
>> computes the shared key G^CS using its private key S and the client's 
>> public key G^C. These are ephemeral keys, ensuring that each DNS 
>> packet has its own session keys. The DNS server responds to the DNS 
>> query and sends the DNS response encrypted using G^CS. If the DNS 
>> server plans to change the keys, then a public key G^S1 is sent to 
>> the client , in the response packet. But these are optimizations 
>> which can be done later.
>> Thank you and I'm looking forward to your feedback!
>>
>> Best regards,
>> Vineeth
>>
>> _______________________________________________
>> DNSOP mailing list -- dnsop@ietf.org
>> To unsubscribe send an email to dnsop-leave@ietf.org
>