IETF Logo Mail Archive

Re: [DNSOP] DNS privacy draft

"Wiley, Glen" <gwiley@verisign.com> Tue, 10 December 2013 13:33 UTC

Return-Path: <gwiley@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467AF1ACCEE for <dnsop@ietfa.amsl.com>; Tue, 10 Dec 2013 05:33:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDeznQTGhyto for <dnsop@ietfa.amsl.com>; Tue, 10 Dec 2013 05:33:21 -0800 (PST)
Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by ietfa.amsl.com (Postfix) with ESMTP id 8D07B1ACB4E for <dnsop@ietf.org>; Tue, 10 Dec 2013 05:33:18 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP ID DSNKUqcYGdkrDD8vKONTszASxFTtZ+jwiPlr@postini.com; Tue, 10 Dec 2013 05:33:16 PST
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id rBADX8x1004994 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 10 Dec 2013 08:33:12 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Tue, 10 Dec 2013 08:33:08 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Warren Kumari <warren@kumari.net>
Thread-Topic: [DNSOP] DNS privacy draft
Thread-Index: AQHO62WnIFOWwPZjyU2DiZ1sygMjlZo5h9aAgAACD4CAACMnAIAGcniAgAAPzwCAAAQEgIAABs4AgAAdyQCAAI18AIAAq/8AgAHXTACAChl3AA==
Date: Tue, 10 Dec 2013 13:33:07 +0000
Message-ID: <CECC812C.2D093%gwiley@verisign.com>
In-Reply-To: <20131203222016.GE5689@sources.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9994224DE03DCE458C43508B96D6A2A3@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNS privacy draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 13:33:23 -0000

On 12/3/13 5:20 PM, "Stephane Bortzmeyer" <bortzmeyer@nic.fr> wrote:


>On Mon, Dec 02, 2013 at 01:13:26PM -0500,
> Warren Kumari <warren@kumari.net> wrote
> a message of 35 lines which said:
>
>> > OK. And do note "chaff" may be a by-product of
>> > draft-wkumari-dnsop-hammer.
>> 
>> Um, please explain.
>> 
>> Hammer (and the various similar, actually implemented things) simply
>> trigger lookups a few seconds before the TTL would naturally expire
>> *in response to an incoming query*.
>
>OK, I was too fast, sorry. Hammer itself does not scramble the stream
>of requests. So, I withdraw the reference to Hammer.
>
>Still, sending gratuitous queries, without an incoming query and
>without waiting for the expiration, may be a good strategy for a
>resolver to make traffic analysis more difficult for the eavesdropper
>(or for the authoritative name servers).

I have read and support this draft with a few exceptions:

Large scale authoritative name servers (such as our COM/NET footprint)
already sort through an enormous stream of query data so while the chaff
might sound nifty I can't imagine it having a meaningful effect on the
ability for authoritative servers to analyze traffic until it reaches DOS
volumes.  Even for smaller operators this will certainly force changes to
infrastructure but I question whether it will result in reduced ability to
perform traffic analysis.

The other concern that I have is the idea of recursive resolvers holding
long lived sessions open with the authoritative servers.  This bears
closer analysis but my experience with COM/NET makes me nervous about that
idea.  I'd like to hear how other authoritative name server operators feel
about the implications of long lived TCP connections on their name servers.


>_______________________________________________
>DNSOP mailing list
>DNSOP@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email