Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
Paul Vixie <paul@redbarn.org> Sat, 15 February 2014 18:08 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE94E1A025A; Sat, 15 Feb 2014 10:08:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNuEopCK_-tS; Sat, 15 Feb 2014 10:08:20 -0800 (PST)
Received: from ss.vix.su (ss.vix.su [24.104.150.2]) by ietfa.amsl.com (Postfix) with ESMTP id B21A91A0259; Sat, 15 Feb 2014 10:08:20 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:8089:a9c6:4d5:bd6c] (unknown [IPv6:2001:559:8000:cb:8089:a9c6:4d5:bd6c]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ss.vix.su (Postfix) with ESMTPSA id BCA1AEBDB9; Sat, 15 Feb 2014 18:08:17 +0000 (UTC) (envelope-from paul@redbarn.org)
Message-ID: <52FFAD1E.1040509@redbarn.org>
Date: Sat, 15 Feb 2014 10:08:30 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.9 (Windows/20140128)
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <CAESS1RPh+UK+r=JzZ9nE_DUqcvNtZiS6TNt1CDN-C0uiU7HP=A@mail.gmail.com> <52FEF407.30405@redbarn.org> <20140215140133.GA6990@sources.org> <CACsn0cn=B201xpoMLhEpwhj_NRtG64zQQyoS7eCf_8-0cmeHFQ@mail.gmail.com>
In-Reply-To: <CACsn0cn=B201xpoMLhEpwhj_NRtG64zQQyoS7eCf_8-0cmeHFQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/c5xwt7xIPMyTo4EJSCzxZ0rAIxQ
Cc: dnsop@ietf.org, perpass@ietf.org, Zi Hu <zihu@usc.edu>
Subject: Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 18:08:23 -0000
Watson Ladd wrote: > Dear all, > This proposal has multiple shortcomings compared to DNSCurve. > > First off, it says that the rationale for TLS over DNSCurve is simply > to "take advantage of TLS". I would respectfully submit that DJB can > do a better job than the TLS committee, and did. Merely adding bolts > and nuts onto a design is not improving it. has mr. bernstein's Curve25519 (see http://en.wikipedia.org/wiki/Curve25519) been explicitly validated by other crypto experts? last i knew he was the only one claiming it was correct and strong enough for production use. this matters, because no one person ought to be trusted to get something like this right sans review. mr. bernstein's competence isn't being questioned, it's just the "second set of eyes" requirement for technology at scale. i'm speaking as an x.509-hater, which means, i tend to agree with what you said about committees. as a bolter-onner of many of dns's nuts including EDNS, i'm ready to quibble with anyone who says DNS has not been improved by the post-1987 work that's been done to it. i won't claim it's gotten prettier, but that's not the only metric for "improvement". > Secondly, this proposal only works on TCP. This imposes latency and > state requirements that most people would rather avoid. The use of > keepalive only addresses computational burden, not state burden, and > with the DH speed records we have today unnecessary. my understanding is that this is a hop-by-hop cover protocol for adding confidentiality when needed, and that something like dnssec will still be needed for end-to-end content authenticity. in that sense the tcp requirement isn't itself burdensome, though i will certainly recommend a block-cipher mode so that udp can also be supported. this is not something we can fix with DTLS or SCTP because of the all-pervasive "middlebox problem". even getting EDNS options through has proved difficult, a completely new transport is unthinkable. > Thirdly, this proposal ignores entirely how to validate the server > over the TLS connection. Does it need a certificate? Who should be > allowed to sign it? How should it be validated? DNSSEC provides a PKI, > and this proposal provides another one. Their interactions will not be > fun. see above; i don't think this proposal offers or intends to offer a PKI, merely a hop-by-hop confidentiality option. DNSSEC will still be required. > Fourthly, there is substantial operational knowledge and deployed, > working, code implementing DNSCurve. This does not hold for this > proposal. dnscurve was offered to the ietf community but it didn't stick for reasons unrelated to this newer proposal. i don't see any sense in comparing their installed bases. > Sincerely, > Watson Ladd warmly, vixie
- [DNSOP] draft-hzhwm-start-tls-for-dns-00: Startin… Zi Hu
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Stephane Bortzmeyer
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Stephane Bortzmeyer
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Tony Finch
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Vixie
- Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Sta… Paul Wouters
- [DNSOP] meta issue: WG to discuss DNS innovation … David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Christian Grothoff
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Dave Crocker
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Vixie
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Wouters
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Watson Ladd
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] [perpass] draft-hzhwm-start-tls-for-d… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… John Levine
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Jay Daley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… joel jaeggli
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Paul Hoffman
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Andrew Sullivan
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… David Conrad
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Tim Wicinski
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Olafur Gudmundsson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Suzanne Woolf
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Ted Lemon
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Joe Abley
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Patrik Fältström
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Delany
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… George Michaelson
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… Mark Andrews
- Re: [DNSOP] meta issue: WG to discuss DNS innovat… SM