Re: [perpass] DNS confidentiality
"Wiley, Glen" <gwiley@verisign.com> Wed, 13 November 2013 16:21 UTC
Return-Path: <gwiley@verisign.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D58621E8143 for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 08:21:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgzPHn785H3P for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 08:21:41 -0800 (PST)
Received: from exprod6og125.obsmtp.com (exprod6og125.obsmtp.com [64.18.1.218]) by ietfa.amsl.com (Postfix) with ESMTP id 4F23721E80A9 for <perpass@ietf.org>; Wed, 13 Nov 2013 08:21:38 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob125.postini.com ([64.18.5.12]) with SMTP ID DSNKUoOnDCqnqJXiUrL2lcvU31hBceG+MU6u@postini.com; Wed, 13 Nov 2013 08:21:39 PST
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id rADGLSQ8008854 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 13 Nov 2013 11:21:28 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Wed, 13 Nov 2013 11:21:26 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: Ted Hardie <ted.ietf@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [perpass] DNS confidentiality
Thread-Index: AQHO3tdpEyY4uADSC0SfyXgM4tps8ZogamiAgAGvn4CAAJf+gIAA+6eA//+tbwA=
Date: Wed, 13 Nov 2013 16:21:26 +0000
Message-ID: <CEA910D4.26418%gwiley@verisign.com>
In-Reply-To: <CA+9kkMCUaVJSzisvePLWbNPh0_5HcrsWg+-OR_EgvoB8Y2KaBw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_CEA910D426418gwileyverisigncom_"
MIME-Version: 1.0
Cc: perpass <perpass@ietf.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>, Andy Wilson <andrewgwilson@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 16:21:48 -0000
While I certainly support the idea of confidential DNS, I wonder whether it is a good idea to impose the overhead involved in TLS on the high volume name servers? -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. From: Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>> Date: Wednesday, November 13, 2013 11:16 AM To: Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> Cc: "Wiley, Glen" <gwiley@verisign.com<mailto:gwiley@verisign.com>>, perpass <perpass@ietf.org<mailto:perpass@ietf.org>>, Stephane Bortzmeyer <bortzmeyer@nic.fr<mailto:bortzmeyer@nic.fr>>, Andy Wilson <andrewgwilson@gmail.com<mailto:andrewgwilson@gmail.com>>, Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> Subject: Re: [perpass] DNS confidentiality On Tue, Nov 12, 2013 at 5:16 PM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote: On 12 November 2013 08:12, Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>> wrote: > The DNS query tells you which resource was the target even if the HTTP flow > was protected by TLS. In practice, since server name indication is sent in the clear, even this doesn't help. Unless you are running a browser from 2001, you are sending SNI. That said, SNI may be pushed into an encrypted payload in TLS 1.3. The challenge there is that servers often use SNI to select what credentials to offer. True; I'd been thinking about the blogspot-style use cases where you get an initial negotiation at one name followed by a large set of alternate names, but that's not the common case. The VPN case is still an issue, though. Having read through the rest of the thread, pushing SNI into the encrypted portion of TLS in 1.3 seems like a good thing to do. Ted
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell