Re: [DNSOP] QUIC for DNS confidentiality (Was: my dnse vision

Tim Wicinski <tjw.ietf@gmail.com> Thu, 06 March 2014 13:49 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0E81A023E for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 05:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxZWNev6NqdB for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 05:49:02 -0800 (PST)
Received: from mail-bk0-x235.google.com (mail-bk0-x235.google.com [IPv6:2a00:1450:4008:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id E67681A01FE for <dnsop@ietf.org>; Thu, 6 Mar 2014 05:49:01 -0800 (PST)
Received: by mail-bk0-f53.google.com with SMTP id r7so688265bkg.40 for <dnsop@ietf.org>; Thu, 06 Mar 2014 05:48:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=S21LhKoIuSCpctkvxf9JIE2XDfHeg4SnQf4nR7rEGMI=; b=0YAPPFkoPWCWXbkGrlpr+aF7B0JCeLH2ErQ16fXHSOKl3z8+su4b3rZPSPjOROi+Bc cMIUI30zBfZ+6VWTTNAbl/3mLNHnl7yIa4zuRy6J5ugj8YdqxFr872CTwwJ+F4GDEPnG nP9+Q1vkXUlXoHV7XaNfpZHW3jjs0G5457h6L48KmLckxdyrItnTx99AlXWT1peu1aTz SrH46YGQ4lpqm3Cv4uw0y/1hk6Ohn4O0LkSdLHfDi2c1YbHVwv5DpQXHG187QPSiMckE anByjJogvQS3m8wVRWOP4vqSBUQXrDf6ECqJSnYG13H+FS9aZlpq1757l9tfo6ObXbJu Wziw==
X-Received: by 10.204.62.129 with SMTP id x1mr303845bkh.129.1394113737524; Thu, 06 Mar 2014 05:48:57 -0800 (PST)
Received: from dhcp-a2ca.meeting.ietf.org (dhcp-a2ca.meeting.ietf.org. [31.133.162.202]) by mx.google.com with ESMTPSA id v12sm9398949bko.17.2014.03.06.05.48.56 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Mar 2014 05:48:56 -0800 (PST)
Message-ID: <53187CC7.7070907@gmail.com>
Date: Thu, 06 Mar 2014 13:48:55 +0000
From: Tim Wicinski <tjw.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0a2
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop@ietf.org
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <531706EF.3060008@gmail.com> <20140305113307.GA29506@miek.nl> <20140305141951.GC17117@laperouse.bortzmeyer.org>
In-Reply-To: <20140305141951.GC17117@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/Utae1vfUxxGG-Vogfb_-K1VwqHs
Subject: Re: [DNSOP] QUIC for DNS confidentiality (Was: my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 13:49:06 -0000

Talked with Jim Roskind who did the QUIC talk back in Vancouver.  I 
include his comments:

----

I actually discussed this in a hallway discussion at the Canada IETF 
meeting.

I think it would fit well, as it has the potential to offer zero-RTT 
connect (similar to what DNS over UDP effectively supports today), and 
yet it will better (actually) handle guaranteed delivery, as well as 
deal with large return packages (DNS Sec).  DNS currently supports 
(sadly) an amplification attack of about 50x, and in QUIC, we worked 
hard to control this problem.

IT is also nice that it is encrypted.... which means that folks will get 
some extra privacy, and not reveal (to observers) what they are 
resolving ;-).

One hassle is that we do try to encrypt/authenticate... and with an IP 
address only (pointing to the DNS resolver), I don't see a clean way to 
have a cert providing authentication :-/.  I guess you *could* implant 
(into a client) a combination of both the  DNS resolver's IP address, 
*plus* an expected server name.  Fun stuff to ponder ;-).

IMO, interesting, and plausibly nice, fit.

Jim

---------
On 3/5/14, 2:19 PM, Stephane Bortzmeyer wrote:
> On Wed, Mar 05, 2014 at 11:33:07AM +0000,
>   Miek Gieben <miek@miek.nl> wrote
>   a message of 22 lines which said:
>
>> Can't we use QUIC
>> (http://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf) ?
>>
>> It seems to me that a lot of use cases covered in dnse are being addressed
>> in this protocol.
> It's partly a problem of timing. How long before QUIC is ready and
> implemented?
>
> But you're right, I'll add it to the next version of
> draft-bortzmeyer-dnsop-privacy-sol.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop