On 29 Jul 2015, at 10:48, Stephen Farrell wrote:
Basically, the DNS stack will not know whether or not it is running
under TLS/DTLS when the query and reply are formed; TLS/DTLS will be
opportunistic. So, to be safe, the DNS client or server will be
forced
to add padding even when it is not needed, and thus make every
message
longer.
I don't get that. Surely at most 1 query or response will be sent
when in such a state of ignorance, after which the application layer
can easily know if a TLS session exists. We are after all still
talking about stub<->recursive still, right?
We are not defining an API, so there is no way for the application layer
to know what it is running under.
We don't know how much padding is required to prevent analysis for
particular query/response pairs, and thus need to add lots of
random-length padding to each message to prevent the analysis.
I also don't get that. I agree we're not sure how to best use
padding. But we can define the simple bit of protocol needed now
and then after folks figure out how best to use it we could have
some more recommendations to make. And those might end up being
context dependent. So I see no need to mandate something wasteful
now.
That would be fine. What I worry about is that people will say "we can
pad; people tell us to pad liberally; we will pad liberally". It would
be great for the spec to say "probably don't do this much until more
research has been done".
--Paul Hoffman
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
