Re: [DNSOP] Want to join the IETF 93 Hackathon to work on DNSSEC, DANE or DNS Privacy?
Tom Ritter <tom@ritter.vg> Thu, 02 July 2015 20:20 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628CA1A8FD2 for <dnsop@ietfa.amsl.com>; Thu, 2 Jul 2015 13:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fpDjBz4l9bF for <dnsop@ietfa.amsl.com>; Thu, 2 Jul 2015 13:20:51 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC0661A901F for <dnsop@ietf.org>; Thu, 2 Jul 2015 13:20:50 -0700 (PDT)
Received: by qkbp125 with SMTP id p125so60118059qkb.2 for <dnsop@ietf.org>; Thu, 02 Jul 2015 13:20:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=zN1RWq5/fFsZDhe7t3bZdWgVFd0aD/ZRm9OgiqAZxMY=; b=zk8l0ROtk+nEmpxNXBNKbrO6NqDIf2qnspeZzPFEIqRjndmc5Jx+5lIwkXXzRvOfp2 LBpx7jS8pNcbWAUOpfhMdYhX/DWyC040lrNaC/BjDarZQyedY9H5A8CA4LYRAK6Na81L diXYb19cgUvl74adZacSbrCBYlWXuNL7q47Vk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=zN1RWq5/fFsZDhe7t3bZdWgVFd0aD/ZRm9OgiqAZxMY=; b=K8H1y5PzNO30+X+0wajVw6HkYare4t3DimklaZXbEz9H+L3fU2CR7DvqwuEvQAJVUq AG0OH7YFqlHNg9SpODjlna8Y2Dk8g+ksg+LfZqHHv/iqTjNzQVAiACovgAn9PMCoaH2z 4tYxMMpTs5fTl72yjaVw5y4BTlP+I5CFUn7PZ9bg+AlYf+jRFNmQrmekz0WrtDVjGWV4 L51ojDyCBsO/NGVxHWs9VBjF+LcAqy5N0u58ZMpjvPEPAxIRJaoUAOK2RKi0GnXHg5A6 nWZ4gW+XxUvLSsiNa2W5yGTH/zdAgvKSGRIs5frYzKKGdDyyYJCeU6VwFxjDvFH5IuLR urTg==
X-Gm-Message-State: ALoCoQk9p6BYfqI5rgcCgl4uFd8M/0PUU1ljfEnoq8gF93y5CQf7aBxx1HSkhxckPPbhcUrYNq5k
X-Received: by 10.140.134.69 with SMTP id 66mr24820010qhg.51.1435868450069; Thu, 02 Jul 2015 13:20:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.51.103 with HTTP; Thu, 2 Jul 2015 13:20:30 -0700 (PDT)
In-Reply-To: <33927A87-6ABD-4C9D-844C-07FCB709A35B@isoc.org>
References: <33927A87-6ABD-4C9D-844C-07FCB709A35B@isoc.org>
From: Tom Ritter <tom@ritter.vg>
Date: Thu, 02 Jul 2015 15:20:30 -0500
Message-ID: <CA+cU71mxoJG4g=C-WxL2i_VjphpggFi1rWVHYyPJzO6-trE0ew@mail.gmail.com>
To: Dan York <york@isoc.org>, dkg <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/j09VdCjU4_t8pSz9gpazM01FWIk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Want to join the IETF 93 Hackathon to work on DNSSEC, DANE or DNS Privacy?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 20:20:52 -0000
As an idea: some months ago dkg looked at hooking up unbound to an upstream resolver over TCP/TLS. It works, but it isn't ideal right now. Our findings: A) client and server together negotiate TLS 1.2 (that's good!) B) client doesn't appear to even try to validate the certificate C) client doesn't hold open connections, but rather does one query per connection. This is a tremendous amount of overhead. D) server selects TLS_RSA_WITH_AES_256_GCM_SHA384 even though client preferred TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. E) server offers a TLS session ticket each time, and client is not re-using the session ticket (or any other abbreviated handshake mechanism) that i can tell. unbound client config: forward-zone: name: "." forward-addr: w.x.y.z@443 server: ssl-upstream: yes tcp-upstream: yes unbound server-config: interface: 0.0.0.0@443 interface: ::0@443 access-control: 0.0.0.0/0 allow ssl-port: 443 ssl-service-pem: /etc/unbound/unbound_server.pem ssl-service-key: /etc/unbound/unbound_server.key -tom On 1 July 2015 at 06:43, Dan York <york@isoc.org> wrote: > DNSOP participants, > > Will you be in Prague on the weekend before IETF 93? (Or could you get > there?) A number of us will be involved with the hackathon happening on > Saturday and Sunday: > > https://www.ietf.org/registration/MeetingWiki/wiki/93hackathon > > Our intent is to work on some tools/services related to DANE, DNSSEC and/or > DNS privacy - either adding support to existing tools or projects, or > developing something new that is useful in some way (and is not a duplicate > of something else). We don't have specific projects lined up yet (we need > to meet and decide what we're going to do)... but any suggestions are > certainly welcome. > > If you'd like to join for either one or both days, the link to sign up is on > that hackathon page. Here's what we wrote as an abstract: > > DANE / DNS Privacy / DNSSEC > > Contribute to access of end-systems to new developments in DNS > Protocols: DANE support for webmail, DNS-over-TLS (application uses), > DNS-over-DTLS (stack and uses), TLSA client certs, client privacy election > for EDNS client-subnet, getdns language bindings, etc. > Tools: portable tool for creating and adding DANE RR’s to zones, changes to > existing tools to support new crypto algorithms, etc. > Measurement: New tools or sites for measuring DNSSEC or DANE deployment > Available open source libraries: https://github.com/verisign/smaug, > https://github.com/getdnsapi > Available environment, support, and diagnostic tools: > https://dnssec-tools.org, https://www.opendnssec.org > Champions > > Dan York, Internet Society york@isoc.org > Allison Mankin, Verisign Labs amankin@verisign.com > Willem Toorop, NLnet Labs > Sara Dickinson, Sinodun > Others, TBA > > Anyone is welcome to join with us. The current list of participants is > here: > https://www.ietf.org/registration/ietf93/hackathonattendance.py?sortkey=3&login=%0A > (you can see that some people have listed that they will join in for > DNS-related topics...) > > See (some of) you in Prague, > Dan > > -- > Dan York > Senior Content Strategist, Internet Society > york@isoc.org +1-802-735-1624 > Jabber: york@jabber.isoc.org > Skype: danyork http://twitter.com/danyork > > http://www.internetsociety.org/ > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Want to join the IETF 93 Hackathon to wor… Dan York
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Wiley, Glen
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Tom Ritter
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Daniel Kahn Gillmor
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Willem Toorop
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Allison Mankin
- Re: [DNSOP] Want to join the IETF 93 Hackathon to… Paul Wouters