Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-15 Thread Stephane Bortzmeyer
On Wed, Dec 14, 2016 at 12:18:17PM +0100, Shane Kerr wrote a message of 87 lines which said: > So basically you are advocating a model where meta-data > (specifically lookups of NS records and their associated A/ > records) is public and other data is private?

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-15 Thread Tirumaleswar Reddy (tireddy)
t;sh...@time-travellers.org> > Cc: dns-privacy@ietf.org > Subject: Re: [dns-privacy] [Step 2] More discussion needed: state your opinion > > > (With no hats...) > > On 13/12/16 19:44, Christian Huitema wrote: > > On Tuesday, December 13, 2016 11:16 AM, Paul Hoffma

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Shane Kerr
Paul, At 2016-12-14 07:24:44 -0800 "Paul Hoffman" wrote: > > 2) Which authentication(s) to use? > >>> > >>> I really like the CGA approach, but realistically I don't think that > >>> would be accepted. If we think that it would be, then I'm all for > >>> it. >

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread John Heidemann
On Wed, 14 Dec 2016 12:40:25 +0100, Shane Kerr wrote: >John, > >At 2016-12-13 10:01:51 -0800 >John Heidemann wrote: > >> >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec >> >may have problems traversing NAT. It is also usually implemented by the >> >kernel,

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Paul Hoffman
On 14 Dec 2016, at 3:34, Shane Kerr wrote: IPsec seems desirable because somehow it seems better to be able to layer on top of security at the lowest level possible? Layer 3 instead of layer 4? Although I guess the only extra information we would be exposing with TLS or DTLS would be the port

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Stephane Bortzmeyer
On Wed, Dec 14, 2016 at 12:37:39PM +0100, Shane Kerr wrote a message of 65 lines which said: > If only there was a way to publish information about a server's > preferences There is one: DANE (at least to express that you support - or not - TLS and DTLS). For

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Shane Kerr
John, At 2016-12-13 10:01:51 -0800 John Heidemann wrote: > >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec > >may have problems traversing NAT. It is also usually implemented by the > >kernel, which may cause deployment issues. I *want* IPsec to be an >

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Shane Kerr
Stephane, At 2016-12-14 10:46:16 +0100 Stephane Bortzmeyer wrote: > On Wed, Dec 14, 2016 at 10:21:13AM +0100, > Shane Kerr wrote > a message of 90 lines which said: > > > > Given that a fallback to TCP/TLS is likely needed even if the > > >

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Shane Kerr
Stephane, At 2016-12-13 16:41:33 +0100 Stephane Bortzmeyer wrote: > On Tue, Dec 13, 2016 at 03:46:25PM +0100, > Shane Kerr wrote > a message of 120 lines which said: > > > I think that TLS may be more painful in the resolver-to-auth case, > >

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Stephane Bortzmeyer
On Tue, Dec 13, 2016 at 11:16:08AM -0800, Paul Hoffman wrote a message of 60 lines which said: > If what we invent has better characteristics than DTLS or TLS, that > means that the TLS WG failed to find something that we could. That > seems *incredibly* unlikely, given

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Stephane Bortzmeyer
On Wed, Dec 14, 2016 at 10:21:13AM +0100, Shane Kerr wrote a message of 90 lines which said: > > Given that a fallback to TCP/TLS is likely needed even if the > > right answer is QUIC, and given that however the WG decide to > > address server authentication and

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Stephen Farrell
(With no hats...) On 13/12/16 19:44, Christian Huitema wrote: > On Tuesday, December 13, 2016 11:16 AM, Paul Hoffman wrote: >> >> If what we invent has better characteristics than DTLS or TLS, that >> means that the TLS WG failed to find something that we could. That seems >> *incredibly*

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Ilari Liusvaara
On Tue, Dec 13, 2016 at 11:16:08AM -0800, Paul Hoffman wrote: > > On 13 Dec 2016, at 6:46, Shane Kerr wrote: > > >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec > >may have problems traversing NAT. It is also usually implemented by the > >kernel, which may cause

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Christian Huitema
On Tuesday, December 13, 2016 11:16 AM, Paul Hoffman wrote: > > If what we invent has better characteristics than DTLS or TLS, that > means that the TLS WG failed to find something that we could. That seems > *incredibly* unlikely, given the people active in the two WGs. Actually, QUIC might

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Paul Wouters
On Tue, 13 Dec 2016, Paul Hoffman wrote: IPsec will always have worse characteristics for DOS than DTLS, and probably worse than TLS. [citation needed] Paul ___ dns-privacy mailing list dns-privacy@ietf.org

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Paul Hoffman
On 13 Dec 2016, at 6:46, Shane Kerr wrote: IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec may have problems traversing NAT. It is also usually implemented by the kernel, which may cause deployment issues. I *want* IPsec to be an option here, but realistically I don't

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread John Heidemann
On Tue, 13 Dec 2016 15:46:25 +0100, Shane Kerr wrote: >Stephane, > >At 2016-12-13 11:59:36 +0100 >Stephane Bortzmeyer wrote: > >> In the minutes of the Seoul meeting, we see: >> >> Strong hum for sticking around to work on this. >> Terry (as AD): more mailing list discussion,

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Paul Wouters
On Tue, 13 Dec 2016, Stephane Bortzmeyer wrote: IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec may have problems traversing NAT. It is also usually implemented by the kernel, which may cause deployment issues. I *want* IPsec to be an option here, but realistically I

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Stephane Bortzmeyer
On Tue, Dec 13, 2016 at 03:46:25PM +0100, Shane Kerr wrote a message of 120 lines which said: > I think that TLS may be more painful in the resolver-to-auth case, > as TCP Fast Open will be generally less useful, right? Same thing (even worse) for persistent TCP

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Shane Kerr
Stephane, At 2016-12-13 11:59:36 +0100 Stephane Bortzmeyer wrote: > In the minutes of the Seoul meeting, we see: > > Strong hum for sticking around to work on this. > Terry (as AD): more mailing list discussion, please > > So, this email is to request this > discussion.