Re: [DNSOP] my dnse vision

Evan Hunt <each@isc.org> Thu, 06 March 2014 17:57 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 738441A00BC for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 09:57:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZkDRCBnLmvp for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 09:57:15 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 599EB1A0040 for <dnsop@ietf.org>; Thu, 6 Mar 2014 09:57:15 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 298F2C941E; Thu, 6 Mar 2014 17:57:01 +0000 (UTC) (envelope-from each@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1394128631; bh=EDBhXClhaNolLtkxiMxTWIoFQ7/Apw8FyPi8+/brT2Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=JVTX4RB3aWR2T5g8miZdOR/y4kXejgV3cZrXeCXaGMdhEQfPkAFBa/rrixJooiPe7 h+Cnm6Hr17KFrSyn7eLy34jGHKRja1oVsqRGVvvXZpbQ2a+djoydxQM8YrJZe63ZU7 545O3/r5tbjXbILEmXwwFMO/4JYUk7ghAqgA5JOw=
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS; Thu, 6 Mar 2014 17:57:01 +0000 (UTC) (envelope-from each@isc.org)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 19A25216C31; Thu, 6 Mar 2014 17:57:01 +0000 (UTC)
Date: Thu, 6 Mar 2014 17:57:01 +0000
From: Evan Hunt <each@isc.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Message-ID: <20140306175701.GE22321@isc.org>
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com> <20140305144213.GA19170@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403051637160.18502@hermes-1.csi.cam.ac.uk> <20140306145020.GA5976@laperouse.bortzmeyer.org> <20140306173132.GD22321@isc.org> <20140306173907.GA29260@nic.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140306173907.GA29260@nic.fr>
User-Agent: Mutt/1.4.2.3i
X-DCC--Metrics: post.isc.org; whitelist
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/uH83wDS6KMl_eahKLTgLu76bs2U
Cc: Tony Finch <dot@dotat.at>, dnsop@ietf.org
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 17:57:16 -0000

On Thu, Mar 06, 2014 at 06:39:07PM +0100, Stephane Bortzmeyer wrote:
> It's a very valid and interesting point but it has not a lot of
> relationship with the privacy issues.

I don't entirely agree: if a MITM can spoof a trusted remote resolver,
then QNAME minimization won't help you.  DNSSEC ensures that you get
legitimate answers; it doesn't ensure that the server on the other
end belongs to someone you trust to keep your queries confidential.

> I suggest that it deserves a
> separate effort, which could start with a nice I-D describing the
> problem statement/analysis (and then to proposed solutions).

I agree it would be appropriate to treat stub-to-resolver channel
security as a separate problem space.

(I will note in passing that I'm intrigued by the CGA-TSIG draft
being circulated by Mr. Raffieh.)

> Unless we want to solve all the security problems of the DNS at once,
> with the same solution?

Oh, I didn't realize it was an option. Yes, that sounds excellent,
please do that.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.