Re: [DNSOP] my dnse vision

Tony Finch <dot@dotat.at> Mon, 10 March 2014 18:59 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 640A61A04AA for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 11:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btaU6VHfUUFO for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 11:59:32 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f41]) by ietfa.amsl.com (Postfix) with ESMTP id 541B31A050E for <dnsop@ietf.org>; Mon, 10 Mar 2014 11:59:29 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:41335) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1WN5Q3-0000Hq-S0 (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 18:59:23 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WN5Q3-0006z3-Jg (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 18:59:23 +0000
Date: Mon, 10 Mar 2014 18:59:23 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <CAMm+LwhnDGJftdSZMyOHi3kjocP6Pw=NOtCNQr5Kr+pOmaL1zg@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1403101852540.13302@hermes-1.csi.cam.ac.uk>
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com> <20140305144213.GA19170@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403051637160.18502@hermes-1.csi.cam.ac.uk> <20140306145020.GA5976@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403101654150.18502@hermes-1.csi.cam.ac.uk> <CAMm+LwjSdvpKKm-nWbx0AUavcGyANkT+mw-FLQQp_R1nEtf==Q@mail.gmail.com> <alpine.LSU.2.00.1403101737520.13302@hermes-1.csi.cam.ac.uk> <CAMm+LwhnDGJftdSZMyOHi3kjocP6Pw=NOtCNQr5Kr+pOmaL1zg@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/ebZYMTTvyuWogce9JcsbJVwvGsE
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 18:59:34 -0000

Phillip Hallam-Baker <hallam@gmail.com> wrote:
> On Mon, Mar 10, 2014 at 1:44 PM, Tony Finch <dot@dotat.at> wrote:
> >
> > > Resolver has no session key on file so it sends the request in plaintext.
> >
> > This leakage is bad expecially for recursors with few users and / or
> > queries for infrequently visited domains.
>
> If a Russian citizen is visiting Putler.com and the authoritative for that
> zone only has that entry and nothing else, then traffic analysis is going
> to give away the request subject.

That does not imply we should make it easy for attackers in other
situations.

> > > It can however be alerted to support for the security protocol in the
> > > DNSSEC information for the zone.
> >
> > This is a bad idea because it makes partial deployment difficult - e.g.
> > staged roll-out of encryption. DNSSEC information is per-zone but
> > encryption has to be per-server.
>
> I can't see the point of a partial rollout of encryption at an
> authoritative.

It is a natural consequence of cautious deployment. Also, a zone has
multiple authoritative servers, so the partial roll-out I was talking
about is partial per-zone not partial per-server. Which is why the
encryption flag has to be per-server not per-zone as you suggested.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Hebrides: South or southwest 5 to 7, increasing gale 8 for a time in
northwest. Moderate or rough, becoming very rough in northwest. Mainly fair.
Moderate or good, occasionally poor later.