Re: [DNSOP] DNS privacy draft
"Wiley, Glen" <gwiley@verisign.com> Tue, 10 December 2013 13:33 UTC
Return-Path: <gwiley@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467AF1ACCEE for <dnsop@ietfa.amsl.com>; Tue, 10 Dec 2013 05:33:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDeznQTGhyto for <dnsop@ietfa.amsl.com>; Tue, 10 Dec 2013 05:33:21 -0800 (PST)
Received: from exprod6og105.obsmtp.com (exprod6og105.obsmtp.com [64.18.1.189]) by ietfa.amsl.com (Postfix) with ESMTP id 8D07B1ACB4E for <dnsop@ietf.org>; Tue, 10 Dec 2013 05:33:18 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob105.postini.com ([64.18.5.12]) with SMTP ID DSNKUqcYGdkrDD8vKONTszASxFTtZ+jwiPlr@postini.com; Tue, 10 Dec 2013 05:33:16 PST
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id rBADX8x1004994 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 10 Dec 2013 08:33:12 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Tue, 10 Dec 2013 08:33:08 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Warren Kumari <warren@kumari.net>
Thread-Topic: [DNSOP] DNS privacy draft
Thread-Index: AQHO62WnIFOWwPZjyU2DiZ1sygMjlZo5h9aAgAACD4CAACMnAIAGcniAgAAPzwCAAAQEgIAABs4AgAAdyQCAAI18AIAAq/8AgAHXTACAChl3AA==
Date: Tue, 10 Dec 2013 13:33:07 +0000
Message-ID: <CECC812C.2D093%gwiley@verisign.com>
In-Reply-To: <20131203222016.GE5689@sources.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9994224DE03DCE458C43508B96D6A2A3@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNS privacy draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 13:33:23 -0000
On 12/3/13 5:20 PM, "Stephane Bortzmeyer" <bortzmeyer@nic.fr> wrote: >On Mon, Dec 02, 2013 at 01:13:26PM -0500, > Warren Kumari <warren@kumari.net> wrote > a message of 35 lines which said: > >> > OK. And do note "chaff" may be a by-product of >> > draft-wkumari-dnsop-hammer. >> >> Um, please explain. >> >> Hammer (and the various similar, actually implemented things) simply >> trigger lookups a few seconds before the TTL would naturally expire >> *in response to an incoming query*. > >OK, I was too fast, sorry. Hammer itself does not scramble the stream >of requests. So, I withdraw the reference to Hammer. > >Still, sending gratuitous queries, without an incoming query and >without waiting for the expiration, may be a good strategy for a >resolver to make traffic analysis more difficult for the eavesdropper >(or for the authoritative name servers). I have read and support this draft with a few exceptions: Large scale authoritative name servers (such as our COM/NET footprint) already sort through an enormous stream of query data so while the chaff might sound nifty I can't imagine it having a meaningful effect on the ability for authoritative servers to analyze traffic until it reaches DOS volumes. Even for smaller operators this will certainly force changes to infrastructure but I question whether it will result in reduced ability to perform traffic analysis. The other concern that I have is the idea of recursive resolvers holding long lived sessions open with the authoritative servers. This bears closer analysis but my experience with COM/NET makes me nervous about that idea. I'd like to hear how other authoritative name server operators feel about the implications of long lived TCP connections on their name servers. >_______________________________________________ >DNSOP mailing list >DNSOP@ietf.org >https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] DNS privacy draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Paul Hoffman
- Re: [DNSOP] DNS privacy draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Paul Hoffman
- [DNSOP] confidentialdns draft W.C.A. Wijngaards
- Re: [DNSOP] confidentialdns draft Guangqing Deng
- Re: [DNSOP] confidentialdns draft Glen Wiley
- Re: [DNSOP] confidentialdns draft Paul Wouters
- Re: [DNSOP] confidentialdns draft Glen Wiley
- Re: [DNSOP] confidentialdns draft Paul Wouters
- Re: [DNSOP] confidentialdns draft W.C.A. Wijngaards
- Re: [DNSOP] confidentialdns draft Marc Lampo
- Re: [DNSOP] confidentialdns draft W.C.A. Wijngaards
- Re: [DNSOP] confidentialdns draft Marc Lampo
- Re: [DNSOP] confidentialdns draft Guangqing Deng
- Re: [DNSOP] DNS privacy draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Paul Hoffman
- Re: [DNSOP] DNS privacy draft Ted Lemon
- Re: [DNSOP] DNS privacy draft Paul Hoffman
- Re: [DNSOP] DNS privacy draft Niall O'Reilly
- Re: [DNSOP] DNS privacy draft joel jaeggli
- Re: [DNSOP] DNS privacy draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Warren Kumari
- Re: [DNSOP] confidentialdns draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy draft Warren Kumari
- Re: [DNSOP] DNS privacy draft Wiley, Glen