IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

Phillip Hallam-Baker <hallam@gmail.com> Fri, 27 September 2013 17:05 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745F411E8162 for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 10:05:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bXaTMWBoSVC for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 10:05:01 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id A7E4721F93F3 for <perpass@ietf.org>; Fri, 27 Sep 2013 10:04:59 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id ep20so2437907lab.29 for <perpass@ietf.org>; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fCXNVr2D6B3yu1aAuiExj0JU1pcjQTA8WcvSxLyoRUA=; b=SSQ5SWWFBo0yS7Yz78GEvglC9zWceqX1F+WZTOtN7ysXgWaiSyb6iwClSTkhY3fYW/ LIonqRhmUP+Z9QYJb1739/OfTMWu0R9RNhXsVK578l8LZeM9KOXePIuIRoHvN/0/xfzr feCmN2r1ex6tdYfiH02270c9A6MLAUBUy2Kdk7bQTO7p7WxnB2dXSxlvh0g7nFA0edUi wnF4NV3awEbr1nVbosvXvfQHO5OCtcw7OJmFfQFbS7aCAH6tA9j1JdZct5Bjd44JSYIp g1SAck6QrH64wy2mZZajkxi9MAJdQ3Roy2JW3TisdPOyd1di4EV9pshub28H/CcZSFfD xiFw==
MIME-Version: 1.0
X-Received: by 10.112.155.39 with SMTP id vt7mr9288095lbb.29.1380301497137; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
In-Reply-To: <524340AA.2070400@cs.tcd.ie>
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309241708090.11401@bofh.nohats.ca> <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca> <524340AA.2070400@cs.tcd.ie>
Date: Fri, 27 Sep 2013 13:04:57 -0400
Message-ID: <CAMm+LwjmOStNEYEiCwmDQsfZsUMN55-ocT0uuDJGQha_RvncrA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="089e0112c1366b808a04e7607cc5"
Cc: perpass <perpass@ietf.org>, Paul Wouters <paul@cypherpunks.ca>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 17:05:03 -0000

On Wed, Sep 25, 2013 at 3:59 PM, Stephen Farrell
<stephen.farrell@cs.tcd.ie>wrote:

>
> Hi Paul,
>
> On 09/25/2013 08:34 PM, Paul Wouters wrote:
> >
> > What we don't need though is another dns-like protocol to do so. (and
> > definitely not dnscurve, as it does not support dns data authenticity,
> > only transport security)
>
> You might be right about dnscurve, or maybe not. I dunno
> enough about it yet to be to be honest. But, as you know,
> DNSSEC is where the IETF has placed its bet for DNS data
> origin auth.


+1

I really can't see how DNSCurve would have been practical if it had a clear
field. But now that we have bet on DNSSEC for authenticating the data
within a DNS zone, that is a fixed choice.

We can change some of the offensive parts of the DNSSEC architecture like
the fact that it grants ICANN entire control over who is in the DNS and who
is not. There is no reason that ICANN should have the ability to drop Cuba
or Iran out of the root when Ted Cruz is threatening to filibuster the
deficit ceiling limit rise if the President won't sign a bill forcing the
US corporation to do that.



> Changing that would maybe require a seismic
> shift, so for this discussion I was assuming DNSSEC is the
> answer for data origin auth and just asking if it'd be
> useful to add confidentiality. So, the fact that dnscurve
> doesn't do what DNSSEC does isn't really a compelling
> argument here I think.
>

What we want from a design point of view is a secure mechanism for securing
the channel based on a long term session key. One option for that would be
DTLS. But since all we are doing is signing and encrypting packets under a
long term session key we can achieve the desired end with a much simpler
Kerberos-like scheme.

DTLS is actually a poor choice here because TLS is designed on the
assumption that the DNS layer stuff has already taken place. It uses
certificate chains and PKIX infrastructure that layers over TCP/IP and DNS.



> Cheers,
> S.
>
> PS: Yes, we should all be doing stuff to encourage more
> deployment of DNSSEC, but I think that's a separate
> discussion, for other lists probably, even though DNSSEC
> deployment might make it harder to mount some attacks
> that are used in monitoring.


A replacement for the client-resolver protocol is one of the steps I think
would best help deployment of DNSSEC. That is where much of the difficulty
in making schemes like DANE practical lies.


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email