Howdy,
A couple of questions. First, the document appears to say that the stub
gets the public key of the recursive resolver from the certificate
authority infrastructure, and it cites RFC 5280; that would tell you how to
identify a public key from within a cert, but I'm not clear on how you
expect the stub to get the cert. Can you explain.
Second, the draft says this:
If the query name is very common and not
relating to user privacy, the stub resolver can do name resolution
through traditional unencrypted way and thus does not need to
implement the approach proposed in this draft. While if the query
name relates to user privacy, the stub resolver can use the method
presented in this draft to encrypt the DNS queries. And accordingly,
the recursive server also encrypts the DNS response with the public
key extracted from the DNS query.
This provides a flag to attackers on what traffic is "sensitive" and should
be avoided. Also, the draft does not suggest the rate at which the stub
should change its associate public key, but it clearly should do so or it
will create a long-lived association of identity with the queries that
impacts privacy.
It's also not clear to me, given that the stub public key is sent in the
query to the recursive resolver how you avoid an attacker standing up a
back-to-back user agent which strips that option, substitutes its own
public key, gets the data and then passes it on. (It may be, of course,
that this attack is out of scope).
thanks again,
Ted
On Mon, Jul 6, 2015 at 11:16 PM, Jiankang Yao <[email protected]> wrote:
> Dear all,
>
> We have uploded a draft (below) about encryption of message through PKI
> mechanism over UDP.
>
> any comments are welcome.
>
> *From:* internet-drafts <[email protected]>
> *Date:* 2015-07-02 17:30
>
>
> A new version of I-D, draft-zuo-dprive-encryption-over-udp-00.txt
> has been successfully submitted by Jiankang Yao and posted to the
> IETF repository.
>
> Name: draft-zuo-dprive-encryption-over-udp
> Revision: 00
> Title: Approach on encrypting DNS message over UDP
> Document date: 2015-07-02
> Group: Individual Submission
> Pages: 10
> URL:
> https://www.ietf.org/internet-drafts/draft-zuo-dprive-encryption-over-udp-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-zuo-dprive-encryption-over-udp/
> Htmlized:
> https://tools.ietf.org/html/draft-zuo-dprive-encryption-over-udp-00
>
>
> Abstract:
> This document offers an approach to encrypt DNS queries and responses
> between the stub resolver and the recursive server over UDP to
> protect user privacy. The public key of the recursive server is
> distributed to the stub resolver through the Certificate Authority
> infrastructure, and the public key of the stub resolver is sent to
> the recursive server together with the DNS query where the public key
> is inserted to the additional section of the DNS query. Then the
> recursive server encrypts the DNS responses sent to the stub resolver
> with the public key of that stub resolver, and similarly the DNS
> query sent to the recursive server is encrypted by the stub resolver
> with the public key of that recursive server and thus the user
> privacy is protected.
>
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> _______________________________________________
> dns-privacy mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dns-privacy
>
>
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
