IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 25 September 2013 20:00 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28D5421F9E0B for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 13:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQXGsrFSQIfZ for <perpass@ietfa.amsl.com>; Wed, 25 Sep 2013 13:00:10 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id BE8DC21F9E50 for <perpass@ietf.org>; Wed, 25 Sep 2013 13:00:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8A899BE62; Wed, 25 Sep 2013 21:00:00 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24XA13UzrK7P; Wed, 25 Sep 2013 20:59:59 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.41.52.135]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 34948BE5B; Wed, 25 Sep 2013 20:59:59 +0100 (IST)
Message-ID: <524340AA.2070400@cs.tcd.ie>
Date: Wed, 25 Sep 2013 20:59:38 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Paul Wouters <paul@cypherpunks.ca>
References: <524150C7.2020602@cs.tcd.ie> <1380054665.62304.YahooMailNeo@web125505.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309241708090.11401@bofh.nohats.ca> <1380136736.93860.YahooMailNeo@web125503.mail.ne1.yahoo.com> <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1309251523400.2349@bofh.nohats.ca>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 20:00:40 -0000

Hi Paul,

On 09/25/2013 08:34 PM, Paul Wouters wrote:
> 
> What we don't need though is another dns-like protocol to do so. (and
> definitely not dnscurve, as it does not support dns data authenticity,
> only transport security)

You might be right about dnscurve, or maybe not. I dunno
enough about it yet to be to be honest. But, as you know,
DNSSEC is where the IETF has placed its bet for DNS data
origin auth. Changing that would maybe require a seismic
shift, so for this discussion I was assuming DNSSEC is the
answer for data origin auth and just asking if it'd be
useful to add confidentiality. So, the fact that dnscurve
doesn't do what DNSSEC does isn't really a compelling
argument here I think.

Cheers,
S.

PS: Yes, we should all be doing stuff to encourage more
deployment of DNSSEC, but I think that's a separate
discussion, for other lists probably, even though DNSSEC
deployment might make it harder to mount some attacks
that are used in monitoring.

v2.23.0 | Report a Bug | By Email