Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS

Paul Wouters <> Sat, 15 February 2014 19:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1E6C31A0306; Sat, 15 Feb 2014 11:58:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i8fW6AWf0jNz; Sat, 15 Feb 2014 11:58:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 69E1B1A0303; Sat, 15 Feb 2014 11:58:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B3610800AA; Sat, 15 Feb 2014 14:57:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1392494279; bh=9mh2ZIZlShm8q0flcPX5viluoyb+uQ+lUmdJwUPgh38=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ZDBTOqjfnDiaxP5yPt7SYd7kZo+bt9BIPTseBi7BD++Xhd8xc4xIYjoasivChPj2q R5aKS69Oj5kRyRD60l6PvnyW+XetZNaHwZEcy4RpVgQDVE//UuN7eWINAbEsx5QnNy SsauxGfThAWla0c3IrotnMgCSj+WgjvpbX7CwtfY=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s1FJvwd3021513; Sat, 15 Feb 2014 14:57:59 -0500
X-Authentication-Warning: paul owned process doing -bs
Date: Sat, 15 Feb 2014 14:57:58 -0500 (EST)
From: Paul Wouters <>
To: Stephane Bortzmeyer <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc:, Paul Vixie <>,, Zi Hu <>
Subject: Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Feb 2014 19:58:08 -0000

On Sat, 15 Feb 2014, Stephane Bortzmeyer wrote:

(D)TLS for DNS makes a lot of sense to me.

> I fully agree. But do note we did not discuss yet the alternatives
> (draft-wijngaards-dnsop-confidentialdns, DNScrypt or simply
> IPsec). The BoF "DNS encryption" in London seems a good start

"simply IPsec"? bootstrapping DNS from IPsec which relies on DNS is not
trivial (and the versign proposal seems to only deal with nameservers
with access to their reverse dns, which excludes the DNS servers that
really need the protection, those supplied by DHCP in coffeeshops,
and completely lacks understanding of IPsec realities such as NAT-T)

> <> and
> <>.
>> i recommend it be adopted by the working group,
> DNSOP? Some people say it is outside the charter since it is a
> modification of the protocol. I myself are not favorable to an
> ultra-strict interpretation of the charter so I'll hummmmmm with you.

At ietf87 it was planned to  have a discussion at dnsop about this
continued problem of drafts that fall between operations and extensions
and the fact that dnsext closed down. Nothing happened at ietf87 or
ietf88. I hope to see this as agenda item for dnsop this meeting.

We need a WG to discuss DNS innovation.