[DNSOP] Re: Light weight encrypted DNS proposal

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Thu, 15 August 2024 10:22 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F5DC14F73E for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 03:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPRaklNBg-SL for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 03:22:51 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B044EC14F6E2 for <dnsop@ietf.org>; Thu, 15 Aug 2024 03:22:51 -0700 (PDT)
Received: from [10.0.8.148] (88-100-20-130.rcf.o2.cz [88.100.20.130]) by mail.nic.cz (Postfix) with ESMTPSA id DF22C1C120A; Thu, 15 Aug 2024 12:22:47 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1723717368; bh=SbQ8VryXLQ71KB78qM1wfxS/Uh7vIHZGbxvYLretgXE=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Reply-To: Subject:To:Cc; b=nArwc7nTjQoyskyeefT/pKpLNoonUiPpnWTEckAcSpmjPqRT1RJWyOarD8Svavs4y 2gI5Y5QSpj9PC5i118E6i6AGAOTLEcJL3l583fyvU8Cl+4HQEX6N0N4j9C0UwwG53P pgMOU75imdPaSkczbTooe958HQs1gTC8a/FoXCZQ=
Content-Type: multipart/alternative; boundary="------------0myDSYsriRKyZMcQo0d8PNSj"
Message-ID: <38e7685e-3f40-4392-8a3c-f1f83c367ef8@nic.cz>
Date: Thu, 15 Aug 2024 12:22:47 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dnsop@ietf.org
References: <CACWojzWRoVgMzTfu_LtOKEaky+LjqfrtrxjiQCmU3B3dFHVTQw@mail.gmail.com>
Content-Language: cs, en-US
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <CACWojzWRoVgMzTfu_LtOKEaky+LjqfrtrxjiQCmU3B3dFHVTQw@mail.gmail.com>
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: DF22C1C120A
X-Spamd-Result: default: False [1.15 / 20.00]; R_MIXED_CHARSET(1.25)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TAGGED_RCPT(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:5610, ipnet:88.100.0.0/15, country:CZ]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ZERO(0.00)[0]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; NEURAL_HAM(-0.00)[-0.787]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_FROM(0.00)[ietf]; FREEMAIL_CC(0.00)[gmail.com]; RCPT_COUNT_THREE(0.00)[4]
X-Spamd-Bar: +
X-Rspamd-Action: no action
Message-ID-Hash: 4WBMNVZLJAFFHNBWJWQRG5M62AVVETS3
X-Message-ID-Hash: 4WBMNVZLJAFFHNBWJWQRG5M62AVVETS3
X-MailFrom: vladimir.cunat+ietf@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "mohit06jan@gmail.com" <mohit06jan@gmail.com>, "ethan.hamadeh@gmail.com" <ethan.hamadeh@gmail.com>, Vint Joseph <vintjoseph871@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Light weight encrypted DNS proposal
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_RIEwPqHoE5xCO6svKgjvoMdE5Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hello.
I think dprive fits the encryption topic better than dnsop?  Anyway, 
some quick thoughts below.

On 15/08/2024 00.06, Vint Joseph wrote:
> using UDP and only one or two packets

I suspect that larger answers will be... a complication.

You could rely on UDP fragmentation, but in that case the amplification 
is unpleasant, as I don't expect a way of validating the client's IP.  
And fragmented UDP often can't pass through anyway IIRC, especially on 
IPv6.  (replay-ability might be OK)  Or would there be fallback on 
another encrypted protocol?


Crypto-agility: you assume that the client knows a public key, i.e. that 
implies the algorithm already.  In that case, you'd have a key that's 
hardcoded in configuration and basically never rotated?  Or you'd use 
some different transport to get the key by name?  (e.g. unencrypted DNS 
with DNSSEC validation, but such bootstrapping isn't very simple)  Or a 
more complicated handshake in case the key isn't known?


Overall I fear that a simple solution won't be able to give good 
properties, unless you just don't care about "edge cases".  I wouldn't 
standardize yet another transport unless it can be shown to give some 
"significant advantage".


--Vladimir | knot-resolver.cz