Re: [perpass] DNS confidentiality
Phillip Hallam-Baker <hallam@gmail.com> Fri, 27 September 2013 17:05 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745F411E8162 for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 10:05:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bXaTMWBoSVC for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 10:05:01 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id A7E4721F93F3 for <perpass@ietf.org>; Fri, 27 Sep 2013 10:04:59 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id ep20so2437907lab.29 for <perpass@ietf.org>; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fCXNVr2D6B3yu1aAuiExj0JU1pcjQTA8WcvSxLyoRUA=; b=SSQ5SWWFBo0yS7Yz78GEvglC9zWceqX1F+WZTOtN7ysXgWaiSyb6iwClSTkhY3fYW/ LIonqRhmUP+Z9QYJb1739/OfTMWu0R9RNhXsVK578l8LZeM9KOXePIuIRoHvN/0/xfzr feCmN2r1ex6tdYfiH02270c9A6MLAUBUy2Kdk7bQTO7p7WxnB2dXSxlvh0g7nFA0edUi wnF4NV3awEbr1nVbosvXvfQHO5OCtcw7OJmFfQFbS7aCAH6tA9j1JdZct5Bjd44JSYIp g1SAck6QrH64wy2mZZajkxi9MAJdQ3Roy2JW3TisdPOyd1di4EV9pshub28H/CcZSFfD xiFw==
MIME-Version: 1.0
X-Received: by 10.112.155.39 with SMTP id vt7mr9288095lbb.29.1380301497137; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Fri, 27 Sep 2013 10:04:57 -0700 (PDT)
In-Reply-To: <524340AA.2070400@cs.tcd.ie>
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309241708090.11401@bofh.nohats.ca> <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca> <524340AA.2070400@cs.tcd.ie>
Date: Fri, 27 Sep 2013 13:04:57 -0400
Message-ID: <CAMm+LwjmOStNEYEiCwmDQsfZsUMN55-ocT0uuDJGQha_RvncrA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="089e0112c1366b808a04e7607cc5"
Cc: perpass <perpass@ietf.org>, Paul Wouters <paul@cypherpunks.ca>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 17:05:03 -0000
On Wed, Sep 25, 2013 at 3:59 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>wrote: > > Hi Paul, > > On 09/25/2013 08:34 PM, Paul Wouters wrote: > > > > What we don't need though is another dns-like protocol to do so. (and > > definitely not dnscurve, as it does not support dns data authenticity, > > only transport security) > > You might be right about dnscurve, or maybe not. I dunno > enough about it yet to be to be honest. But, as you know, > DNSSEC is where the IETF has placed its bet for DNS data > origin auth. +1 I really can't see how DNSCurve would have been practical if it had a clear field. But now that we have bet on DNSSEC for authenticating the data within a DNS zone, that is a fixed choice. We can change some of the offensive parts of the DNSSEC architecture like the fact that it grants ICANN entire control over who is in the DNS and who is not. There is no reason that ICANN should have the ability to drop Cuba or Iran out of the root when Ted Cruz is threatening to filibuster the deficit ceiling limit rise if the President won't sign a bill forcing the US corporation to do that. > Changing that would maybe require a seismic > shift, so for this discussion I was assuming DNSSEC is the > answer for data origin auth and just asking if it'd be > useful to add confidentiality. So, the fact that dnscurve > doesn't do what DNSSEC does isn't really a compelling > argument here I think. > What we want from a design point of view is a secure mechanism for securing the channel based on a long term session key. One option for that would be DTLS. But since all we are doing is signing and encrypting packets under a long term session key we can achieve the desired end with a much simpler Kerberos-like scheme. DTLS is actually a poor choice here because TLS is designed on the assumption that the DNS layer stuff has already taken place. It uses certificate chains and PKIX infrastructure that layers over TCP/IP and DNS. > Cheers, > S. > > PS: Yes, we should all be doing stuff to encourage more > deployment of DNSSEC, but I think that's a separate > discussion, for other lists probably, even though DNSSEC > deployment might make it harder to mount some attacks > that are used in monitoring. A replacement for the client-resolver protocol is one of the steps I think would best help deployment of DNSSEC. That is where much of the difficulty in making schemes like DANE practical lies. -- Website: http://hallambaker.com/
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell