Re: [perpass] DNS confidentiality
Phillip Hallam-Baker <hallam@gmail.com> Fri, 27 September 2013 16:51 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E27111E8103 for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 09:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzuuSaJI1Qdw for <perpass@ietfa.amsl.com>; Fri, 27 Sep 2013 09:51:09 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) by ietfa.amsl.com (Postfix) with ESMTP id C41DE21F9D52 for <perpass@ietf.org>; Fri, 27 Sep 2013 09:51:08 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id x18so2441802lbi.24 for <perpass@ietf.org>; Fri, 27 Sep 2013 09:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Qk1Ya1dn6PGdBF/SsWsrTd3v8EMd0ljJSkvk0d0sq/4=; b=ewUYLAi2ktneTjK6VdfDTenGryVbcFJ8dlFqRrQA2qM75zBIZ02hgNGCt/puiAswfk uwZaX2iqboFJhd5XsPmfNdmVg5G7mZCGEFl2rx3IH/u73si++uPWrXU4dBEOiL6e7UUB hPQ1X6cWQ7EzLQepID2wYNAYfah9BpNol7j5er2h2tOLyFk9N9iIgQEIhWhBNM7tvSR/ KO1wCi/oqDNsWop2lsRAHF7NcTeT1mgFlatfEs2c2XUyJ5WGz+f9PoDBtiJ+E9drtffm RTFUvy7H5AItZ1eLqNK0l5OdRAiPHW5snq93m0yrlMyujyeJClckKdHWnAOOSODpu95W j68g==
MIME-Version: 1.0
X-Received: by 10.112.128.166 with SMTP id np6mr9396593lbb.7.1380300667715; Fri, 27 Sep 2013 09:51:07 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Fri, 27 Sep 2013 09:51:07 -0700 (PDT)
In-Reply-To: <524150C7.2020602@cs.tcd.ie>
References: <524150C7.2020602@cs.tcd.ie>
Date: Fri, 27 Sep 2013 12:51:07 -0400
Message-ID: <CAMm+Lwh59w_vjvy+_7w+oRdK1r6QKUoHn=5uWW92TwV7pM733g@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="047d7b343ef2fb895a04e7604aa1"
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 16:51:10 -0000
On Tue, Sep 24, 2013 at 4:43 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>wrote: > > Hiya, > > I've not seen mention of this so far here that I recall. > > Even as we improve the security of loads of protocols, there > will still be issues with meta-data monitoring based on > DNS queries for example. This point was sort of raised on > the IETF list e.g. in [1]. > > DNSSEC doesn't provide any confidentiality. There are > proposals that do try do that. > > Do we think this is worth looking at? > If so, anyone up for doing some work on that? > If so, how, or starting from what? > I have been looking at this for over a year now. Does anyone have issues with the following: * The communication between the client and the DNS resolver need not be the same as the protocol between the DNS resolver and the Authoritative servers. * System must offer fault tolerance with the client having access to multiple service points. * Use JSON over HTTP wherever possible * Individual DNS queries MUST result in low latency responses, this limits us to using UDP. * The scheme MUST work in ANY network configuration unless the provider takes explicit steps to block use. Therefore the scheme SHOULD support tunneling over DNS as an option but a clean protocol over UDP is better. * The scheme need not be limited to returning DNS information, if we have a long term security association between a client and a resolution service we can use it for speeding up access to OCSP data and much else if we choose. The above analysis led me to the following conclusion: http://tools.ietf.org/html/draft-hallambaker-omnibroker-06 This does not currently offer the UDP and DNS options but they are what motivated the following proposal: http://tools.ietf.org/html/draft-hallambaker-jsonbcd-00 There are important design differences between this proposal and CBOR. In particular JSON-B is a minimal extension of the JSON framework to add in efficient encoding of strings and binary data while CBOR is a rehash of ASN.1 without the schema. Note that the query currently supported is a replacement for the gethostbyname API call rather than a full DNS interface. The reason for this is that 99% of all applications only perform gethostbyname in the first place. The spec does allow a service to respond with a DNSSEC proof chain as advice on client request. Adding direct DNS queries to the spec is very simple, these can certainly be added if there is a desire for them. I would make one major change however and that is to support multiple DNS queries per request. One of the biggest limitations in the current DNS scheme is that it is only possible to query for one DNS record at a time or the ANY pseudo record which returns everything (and likely forces a TCP switchover). The requests actual applications want to make are things like the following: [example.com ? A, AAAA] [_http._tcp.example.com ? SRV, URI, URI2] Use of extended DNS features would be much easier if a client could tell the resolver to send back data for multiple queries at once. Moving to a pure UDP protocol allows requests and responses to be longer than 500 bytes. It is also possible for a single request packet to return multiple responses. These mean that it is very unlikely that fallback to TCP is ever going to be necessary for client queries where low latency is essential. It is however possible that a complex DNSSEC interaction might require a large amount of response data. -- Website: http://hallambaker.com/
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell