IETF Logo Mail Archive

Re: [DNSOP] confidentialdns draft

"Guangqing Deng" <dengguangqing@cnnic.cn> Sat, 30 November 2013 01:18 UTC

Return-Path: <dengguangqing@cnnic.cn>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6381AE23F for <dnsop@ietfa.amsl.com>; Fri, 29 Nov 2013 17:18:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjo04ETZEHgM for <dnsop@ietfa.amsl.com>; Fri, 29 Nov 2013 17:18:37 -0800 (PST)
Received: from cnnic.cn (smtp.cnnic.cn [218.241.118.7]) by ietfa.amsl.com (Postfix) with SMTP id 17D491AE067 for <dnsop@ietf.org>; Fri, 29 Nov 2013 17:18:35 -0800 (PST)
X-EYOUMAIL-SMTPAUTH: dengguangqing@cnnic.cn
Received: from unknown127.0.0.1 (HELO user-think) (127.0.0.1) by 127.0.0.1 with SMTP; Sat, 30 Nov 2013 09:18:29 +0800
Date: Sat, 30 Nov 2013 09:18:29 +0800
From: "Guangqing Deng" <dengguangqing@cnnic.cn>
To: "Marc Lampo" <marc.lampo.ietf@gmail.com>
References: <20131127114007.GA3082@nic.fr>, <52974462.5030002@nlnetlabs.nl>, <CAB0C4xNHJQRdQ+PGNJ76E_2JtxpksmvasB-mFqFL1hYnbHhe9Q@mail.gmail.com>, <52986121.7010309@nlnetlabs.nl>, <CAB0C4xMj0EYG0n6jJW0DeO+Thxfc9UAsaqiEFXp1YL5P3OUV-g@mail.gmail.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 1, 3, 52[cn]
Mime-Version: 1.0
Message-ID: <201311300918277070543@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart567667262263_=----"
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] confidentialdns draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 01:18:40 -0000

And there is also public key rolling issue  in this scheme just as the zone KSK rolling in DNSSEC. More consideration is needed to handle this issue since the private key of a DNS domain may be leaked.




Guangqing Deng
CNNIC 

From: Marc Lampo
Date: 2013-11-29 18:53
To: W.C.A. Wijngaards
CC: dnsop@ietf.org WG
Subject: Re: [DNSOP] confidentialdns draft
I think the draft is very unclear on this (DNSSEC) point -

at least I don't find this statement about the ENCRYPT RR being signed by

with the private key of example.com.

Anyway : a RRSIG RR holds the name of the domain that signed in clear text.


Kind regards,

Marc




On Fri, Nov 29, 2013 at 10:40 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi Marc,

In the draft it says to store the ENCRYPT RR in this case at
ns.example.com.  It would then be signed with the ZSK DNSKEY for
example.com, with normal DNSSEC chain of trust.

But again, the authenticated operation is not the main aim of this draft.

Best regards,
   Wouter


On 11/29/2013 10:28 AM, Marc Lampo wrote:
> Hello,
>
> (a reaction on second paragraph of 4. Authenticated Operation,
> only)
>
> That paragraph states that the ENCRYPT RR can be signed by DNSSEC.
> However, I don't think is possible !
>
> A signature is the hash of DNS-data-sent, encrypted with the
> private key. But in this case : private key of who ? !!! not the
> root-zone, I hope. ? from the domain one is about to sent a query
> for (but the whole idea is to hide that kind of information !)
>
> But since this encryption is really between a DNS client and the
> DNS server it is about to query, it should be the "private key of
> that DNS server". But that is not what DNSSEC is about.
>
> Hence, I think ENCRYPT RR's cannot be protected by DNSSEC.
>
> Kind regards,
>
> Marc
>
>
> On Thu, Nov 28, 2013 at 2:25 PM, W.C.A. Wijngaards

> <wouter@nlnetlabs.nl <mailto:wouter@nlnetlabs.nl>> wrote:
>
> Hi,
>
> I also heard that this is the place to discuss DNS privacy.
>
> This draft is a protocol, and represents an (interesting) point in
> the solution space.  I would refer to Borzmeyer's draft and Koch's
> draft for problem space analysis.
>
> http://tools.ietf.org/html/draft-wijngaards-dnsop-confidentialdns-00
>
>  It supports opportunistic encryption, i.e. try to encrypt but
> fallback to insecure.  This supports deployment immensely, because
> clean DNS paths are uncommon.
>
> It supports stateless operation.  It uses UDP.
>
> It supports encryption for stub-to-cache and cache-to-authority.
>
> Best regards, Wouter
>

> _______________________________________________ DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop

>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


iQIcBAEBAgAGBQJSmGEgAAoJEJ9vHC1+BF+NM2MP/3eUycaHd5l3eywpaevDj9HX
z1E7b3+ebH/cLGMAR0KD940aYw7xYlDG/6b83hqeEVdQVxD7ga6VUcOPImbfOX7o
h8AwJif9mFsGaPCFwxMiaGnF/NmdPAt+C9KNB9fNuEKWIGZbNCDjms7KpC6FDTua
JJ6lPLnuuWCiIUEiKbsjOEl2sJ2y8XV48+jvKuYYXc3EOL2tF0+/BiclXSB7Jw3y
YZ9caUU24teNVWU6g24SflxX/WdPRdSGAGFLYmFc2NEWrrXVvhmpmVGl9le/W6Lc
/pycV+yQZEK7NXP1KrAx28GSjlaJ8duKAXgAk8zsw7bEiqMPpzzNx7fp9pkXGbRy
KoEKMiOdnZGnqhIAx4H32ookjWuMnZFGY2FeKL0D3YsR9AgkuVbc+ga7MODwg6JH
62WADFn8DZCzbNOGIc7375FiVpogCZfPOP5BjrN1VTWL6r3jxAClWZABhQ+gEfCt
34+cxl83FaznxkvhK5DBQoQQmVdcitKOywkKgTlCPAd+gXSJ7SzzxrlcC5Vz0Py5
xoRYjPOnFC/Fz3rrLzhFomsISftKeIsvuCRlqsnd/FMzkqwxhUtZuKlUYEJs5qbF
kxv39xcDrAlbpyYvK5o14LKzto9+7/zpWI/js/0A1gWaq62mbpoq67J+UbgYCASk
Ilm/xu2QrnoGLsAS9R3q
=8SfA
-----END PGP SIGNATURE-----

v2.8.7 | Report a Bug | By Email