Re: [dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt

[Wessels, Duane]

> On Mar 11, 2019, at 7:07 PM, Sara Dickinson  wrote:
> 
> A new draft has been submitted outlining using DNS-over-TLS for zone 
> transfers.
> 

Hi Sara,

I wonder if you would be willing to include a reference to the ZONEMD work
in this draft.  Just as RFC 7858 says that TLS and DNSSEC are independent
and solve different problems, I think it would be good to point out here
that xfr-over-tls is not a substitution for being able to verify the
integrity of zone data as published.

DW



smime.p7s
Description: S/MIME cryptographic signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt

[Tony Finch]

Sara Dickinson  wrote:
>
> A new draft has been submitted outlining using DNS-over-TLS for zone 
> transfers.

I've had a brief skim.

It's entirely driven by zone confidentiality, which is a fine thing, but
from my point of view the interesting possibility is to get transport
integrity (like TSIG) but with much simpler key management.

Single-ended public key authentication of the primary with IP-based
access control for secondaries should be an easy upgrade that do not
currently use TSIG, and really nice for stealth secondaries.

Double-ended public key auth will help reduce the need to break out gpg
for key exchange with oldskool third-party secondarying arrangements.

So I think this is interesting from the dnsop perspective as well as
dprive.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
an equitable and peaceful international order

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt

[Sara Dickinson]

Hi All, 

A new draft has been submitted outlining using DNS-over-TLS for zone transfers.

The draft is quite basic at this stage but we are planning to work on this 
topic at the Hackathon to try to answer the open questions and move this 
forward.

Regards

Sara. 

> Begin forwarded message:
> 
> From: internet-dra...@ietf.org
> Subject: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt
> Date: 11 March 2019 at 17:58:31 GMT
> To: "Sara Dickinson" , "Han Zhang" , 
> "Willem Toorop" , "Allison Mankin" 
> , "Pallavi Aras" 
> 
> 
> A new version of I-D, draft-hzpa-dprive-xfr-over-tls-01.txt
> has been successfully submitted by Sara Dickinson and posted to the
> IETF repository.
> 
> Name: draft-hzpa-dprive-xfr-over-tls
> Revision: 01
> Title:DNS Zone Transfer over TLS
> Document date:2019-03-11
> Group:Individual Submission
> Pages:8
> URL:
> https://www.ietf.org/internet-drafts/draft-hzpa-dprive-xfr-over-tls-01.txt
> Status: 
> https://datatracker.ietf.org/doc/draft-hzpa-dprive-xfr-over-tls/
> Htmlized:   https://tools.ietf.org/html/draft-hzpa-dprive-xfr-over-tls-01
> Htmlized:   
> https://datatracker.ietf.org/doc/html/draft-hzpa-dprive-xfr-over-tls
> Diff:   
> https://www.ietf.org/rfcdiff?url2=draft-hzpa-dprive-xfr-over-tls-01
> 
> Abstract:
>   DNS zone transfers are transmitted in clear text, which gives
>   attackers the opportunity to collect the content of a zone by
>   eavesdropping on network connections.  The DNS Transaction Signature
>   (TSIG) mechanism is specified to restrict direct zone transfer to
>   authorized clients only, but it does not add confidentiality.  This
>   document specifies use of DNS-over-TLS to prevent zone contents
>   collection via passive monitoring of zone transfers.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy