Re: [DNSOP] QUIC for DNS confidentiality (Was: my dnse vision
Tim Wicinski <tjw.ietf@gmail.com> Thu, 06 March 2014 13:49 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0E81A023E for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 05:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxZWNev6NqdB for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 05:49:02 -0800 (PST)
Received: from mail-bk0-x235.google.com (mail-bk0-x235.google.com [IPv6:2a00:1450:4008:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id E67681A01FE for <dnsop@ietf.org>; Thu, 6 Mar 2014 05:49:01 -0800 (PST)
Received: by mail-bk0-f53.google.com with SMTP id r7so688265bkg.40 for <dnsop@ietf.org>; Thu, 06 Mar 2014 05:48:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=S21LhKoIuSCpctkvxf9JIE2XDfHeg4SnQf4nR7rEGMI=; b=0YAPPFkoPWCWXbkGrlpr+aF7B0JCeLH2ErQ16fXHSOKl3z8+su4b3rZPSPjOROi+Bc cMIUI30zBfZ+6VWTTNAbl/3mLNHnl7yIa4zuRy6J5ugj8YdqxFr872CTwwJ+F4GDEPnG nP9+Q1vkXUlXoHV7XaNfpZHW3jjs0G5457h6L48KmLckxdyrItnTx99AlXWT1peu1aTz SrH46YGQ4lpqm3Cv4uw0y/1hk6Ohn4O0LkSdLHfDi2c1YbHVwv5DpQXHG187QPSiMckE anByjJogvQS3m8wVRWOP4vqSBUQXrDf6ECqJSnYG13H+FS9aZlpq1757l9tfo6ObXbJu Wziw==
X-Received: by 10.204.62.129 with SMTP id x1mr303845bkh.129.1394113737524; Thu, 06 Mar 2014 05:48:57 -0800 (PST)
Received: from dhcp-a2ca.meeting.ietf.org (dhcp-a2ca.meeting.ietf.org. [31.133.162.202]) by mx.google.com with ESMTPSA id v12sm9398949bko.17.2014.03.06.05.48.56 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Mar 2014 05:48:56 -0800 (PST)
Message-ID: <53187CC7.7070907@gmail.com>
Date: Thu, 06 Mar 2014 13:48:55 +0000
From: Tim Wicinski <tjw.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0a2
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop@ietf.org
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <531706EF.3060008@gmail.com> <20140305113307.GA29506@miek.nl> <20140305141951.GC17117@laperouse.bortzmeyer.org>
In-Reply-To: <20140305141951.GC17117@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/Utae1vfUxxGG-Vogfb_-K1VwqHs
Subject: Re: [DNSOP] QUIC for DNS confidentiality (Was: my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 13:49:06 -0000
Talked with Jim Roskind who did the QUIC talk back in Vancouver. I include his comments: ---- I actually discussed this in a hallway discussion at the Canada IETF meeting. I think it would fit well, as it has the potential to offer zero-RTT connect (similar to what DNS over UDP effectively supports today), and yet it will better (actually) handle guaranteed delivery, as well as deal with large return packages (DNS Sec). DNS currently supports (sadly) an amplification attack of about 50x, and in QUIC, we worked hard to control this problem. IT is also nice that it is encrypted.... which means that folks will get some extra privacy, and not reveal (to observers) what they are resolving ;-). One hassle is that we do try to encrypt/authenticate... and with an IP address only (pointing to the DNS resolver), I don't see a clean way to have a cert providing authentication :-/. I guess you *could* implant (into a client) a combination of both the DNS resolver's IP address, *plus* an expected server name. Fun stuff to ponder ;-). IMO, interesting, and plausibly nice, fit. Jim --------- On 3/5/14, 2:19 PM, Stephane Bortzmeyer wrote: > On Wed, Mar 05, 2014 at 11:33:07AM +0000, > Miek Gieben <miek@miek.nl> wrote > a message of 22 lines which said: > >> Can't we use QUIC >> (http://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf) ? >> >> It seems to me that a lot of use cases covered in dnse are being addressed >> in this protocol. > It's partly a problem of timing. How long before QUIC is ready and > implemented? > > But you're right, I'll add it to the next version of > draft-bortzmeyer-dnsop-privacy-sol. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Miek Gieben
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Dan York
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Tim Wicinski
- Re: [DNSOP] my dnse vision Francis Dupont
- [DNSOP] my dnse vision Francis Dupont
- [DNSOP] QUIC for DNS confidentiality (Was: my dns… Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Francis Dupont
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] my dnse vision Olafur Gudmundsson
- Re: [DNSOP] my dnse vision Wessels, Duane
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] QUIC for DNS confidentiality (Was: my… Tim Wicinski
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Jelte Jansen
- Re: [DNSOP] deploying security Francis Dupont
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Hosnieh Rafiee
- Re: [DNSOP] my dnse vision Stephane Bortzmeyer
- Re: [DNSOP] my dnse vision Evan Hunt
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Phillip Hallam-Baker
- Re: [DNSOP] my dnse vision Tony Finch
- Re: [DNSOP] my dnse vision Mark Andrews