Reviewer: Phillip Hallam-Baker
Review result: Has Issues
The draft addresses the longstanding problem of DNS using an insecure transport
protocol in the way that it should have been addressed from the start -
encrypting the UDP packets. It is an important and overdue addition to the
network
This business of proxy chains. It seems like it is insoluble. We faced the
same problem when we were trying to deal with spam. There is a huge amount
of complexity there. I have been thinking about this problem for the past
week and I think I have come up with the answer:
None of it matters.
To
On Tue, Nov 26, 2019 at 1:08 PM Stephane Bortzmeyer
wrote:
> On Tue, Nov 26, 2019 at 12:35:13PM -0500,
> Phillip Hallam-Baker wrote
> a message of 166 lines which said:
>
> > 2) Admin/User Configured DNS
> > The client obtains the information to conne
This notion of DNS resolver discovery seems very strange to me. There are
three ways in which a DNS resolver can be realistically determined by a
client whether that is in the platform (Windows/OSX/Linux/etc) or the
application.
1) Promiscuous DNS
The client obtains the information to connect
Some of the attacks made on one of the speakers seemed overly aggressive to
me. And as sometimes happens, the people making the statements were simply
misinformed.
The use of machine readable legal terms is not just possible, it is the way
most international trade takes place. When I first joined
On Mon, May 18, 2015 at 6:37 AM, Simon Josefsson si...@josefsson.org
wrote:
Phillip Hallam-Baker i...@hallambaker.com writes:
Any DNSvNext protocol MUST work in 100% of network situations where DNS
works or else it has 0% of being adopted.
That's simply impossible. A goal like
On Wed, May 13, 2015 at 12:32 PM, Doug Royer douglasro...@gmail.com wrote:
Firewall issue:
We can't live in fear that only a handful of ports are forever usable
because of busted firewalls or busted firewall administrators.
I think the decision should be based on what's best for DNS.
I
On Tue, Apr 28, 2015 at 5:04 AM, Tony Finch d...@dotat.at wrote:
Phillip Hallam-Baker i...@hallambaker.com wrote:
Having it work for content and DNS are two different things. The
routing tables only need to be constant for a few minutes to support
TCP content download. For DNS to be viable
On Tue, Apr 28, 2015 at 12:16 AM, Christian Huitema huit...@huitema.net wrote:
On Monday, April 27, 2015, at 5:22 PM, Warren Kumari wrote
On Mon, Apr 27, 2015 at 4:17 PM, Paul Hoffman paul.hoff...@vpnc.org
There is a third solution to the anycast problem, which is what is done
today in all
On Mon, Apr 27, 2015 at 3:50 PM, Christian Huitema huit...@huitema.net wrote:
Which is why I propose what is in effect a STLS (Staleless TLS) in
which each UDP request packet (optionally) contains the full state
required to decrypt it at the server.
Without going in the details, there are two
On Thu, Apr 23, 2015 at 4:21 PM, Dan Wing dw...@cisco.com wrote:
I am not an expert on DTLS but that was the concern that made me avoid using
it. I want a completely stateless resolver, not just UDP.
That means using either a very fast ECC scheme for authentication or some
sort of kerberos
On Thu, Apr 23, 2015 at 8:57 PM, Watson Ladd watsonbl...@gmail.com wrote:
On Apr 23, 2015 1:52 PM, Phillip Hallam-Baker i...@hallambaker.com
wrote:
On Thu, Apr 23, 2015 at 4:21 PM, [image: ]Dan Wing dw...@cisco.com
wrote:
I am not an expert on DTLS but that was the concern that made
There are two sets of issues:
1) Discovery
2) Presentation
I suggest dividing the drafts into two parts and considering these
separately. DNS currently has two transports. The idea that all uses
can be addressed over TCP is currently unproven as far as the majority
of the stakeholders whose
On Tue, Apr 7, 2015 at 3:33 PM, Warren Kumari war...@kumari.net wrote:
Hi all,
We are planning on starting a call for adoption on the documents on April
15th.
At the meeting in Dallas we heard that a number of people didn't feel
that they had enough information / knowledge of the documents
On Fri, Mar 20, 2015 at 6:33 AM, Stephen Farrell stephen.farr...@cs.tcd.ie
wrote:
On 19/03/15 23:43, Zhiwei Yan wrote:
Hi, all, I think it's better that this draft contains some solution
about the client authentication to decrease/avoid the DoS attack. But
it's really not the focus of
The proposal is a reasonable approach and not overly complex. The question
that concerns me though is how the client authenticates the resolver.
Without authentication, encryption is useless because you could be having
the conversation with Mallet.
Using DNSSEC for that is problematic since the
On Sun, Mar 8, 2015 at 7:48 PM, Christian Huitema huit...@huitema.net
wrote:
What worries me is if we build a circular dependency into the stack. TLS
is layered on top of DNS at several points. The names used in TLS are DNS
names.
Let's step back a minute. We are worried that TLS carries
On Mon, Mar 2, 2015 at 9:00 AM, Ilari Liusvaara ilari.liusva...@elisanet.fi
wrote:
On Mon, Mar 02, 2015 at 07:49:08AM -0500, Phillip Hallam-Baker wrote:
Having long experience of trying to persuade browser providers to do OCSP
with TLS, I do not see any possibility that DNS over TCP
On Mon, Mar 2, 2015 at 9:00 AM, Ilari Liusvaara ilari.liusva...@elisanet.fi
wrote:
I would see the point of using UDP (which means increased complexity):
No it does not.
UDP is a lot simpler than any of the TCP proposals.
* Fewer states
* Smaller library
* Fewer options
TLS is a big
On Fri, Feb 27, 2015 at 10:50 AM, Tim Wicinski tjw.i...@gmail.com wrote:
On 2/27/15 10:46 AM, Stephane Bortzmeyer wrote:
On Fri, Feb 27, 2015 at 10:38:53AM -0500,
Phillip Hallam-Baker i...@hallambaker.com wrote
a message of 78 lines which said:
BTW are we planning to IETF last call
On Fri, Feb 27, 2015 at 2:58 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Feb 27, 2015, at 11:40 AM, Hosnieh Rafiee i...@rozanak.com wrote:
I agree that the first versions might be confusing.
I have looked at the current draft and it is still just as confusing to
me. I do not feel that
On Thu, Feb 26, 2015 at 7:51 AM, Stephen Farrell stephen.farr...@cs.tcd.ie
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hiya,
On 26/02/15 12:43, Brian Haberman wrote:
Are you thinking of looking at patterns of qname values/labels or
just some number of packets going towards a
Responding to Hosnieh:
We have to avoid loaded terms like minimal changes. What is a minimal
change is a very subjective question.
We have middlebox issues. Since a middlebox can't do anything useful to an
encrypted message and because my objective is to bypass government
censorship schemes, my
DNS privacy requires us to make two changes to the DNS protocol.
1) The resolver is acknowledged as being a trusted service
2) Some form of crypto is added between the transport and application layer
in the client-resolver protocol.
So far we seem to have focused on the second issue. But that is
On Thu, Feb 19, 2015 at 1:21 PM, Ted Hardie ted.i...@gmail.com wrote:
Howdy,
On Thu, Feb 19, 2015 at 7:20 AM, Phillip Hallam-Baker
ph...@hallambaker.com wrote:
DNS privacy requires us to make two changes to the DNS protocol.
I'm a little confused as to why this isn't on DPRIVE, but okay
On Tue, Feb 3, 2015 at 11:01 AM, Warren Kumari war...@kumari.net wrote:
Hi all,
The Dallas meeting is approaching, and we'd like to start getting the
agenda organized.
Please send us requests for time, etc.
We have not made nearly as much progress since Hawaii as we'd hoped
for / expected
One of the questions we have to ask ourselves is what sort of DNS privacy
solution are we aiming to provide here. Is it meant to be
A) A replacement for the DNS client-resolver protocol intended to
eventually replace it.
B) A scheme that allows those who want to achieve DNS privacy to do so
My
While tunneling over DNS is interesting, it isn't really the answer to our
problem which is how to establish a robust and efficient encrypted DNS
protocol.
DNS tunnels tend to be used by folk willing to tolerate low bandwidth and
low latency. Cramming your requests into BASE32 encoded labels and
On Mon, Nov 24, 2014 at 4:22 PM, Tim Wicinski tjw.i...@gmail.com wrote:
(I was waiting to confirm the wording with Warren, but I failed to remember
he was away last week).
Coming out of IETF91, we saw good discussion around the problem statement;
the beginnings of a discussion around
On Wed, Nov 19, 2014 at 2:43 AM, Dan Wing dw...@cisco.com wrote:
On Nov 13, 2014, at 10:24 AM, Phillip Hallam-Baker i...@hallambaker.com
wrote:
I see two distinct use cases:
1) Web browsing
2) Everything else.
The challenges for (1) are latency, latency and latency.
Shaving 10ms off
On Wed, Nov 19, 2014 at 12:08 PM, Dan Wing dw...@cisco.com wrote:
On Nov 19, 2014, at 4:05 AM, Phillip Hallam-Baker i...@hallambaker.com
wrote:
On Nov 13, 2014, at 10:24 AM, Phillip Hallam-Baker i...@hallambaker.com
wrote:
The thing I didn't like about using DTLS is that I have
On Wed, Nov 19, 2014 at 12:13 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
Given that the problem statement for the group is stub-to-resolver, and a
stub generally uses one resolver, it is quite believable that one would have
a TCP connection open to the resolver that is reused for future
On Wed, Nov 19, 2014 at 8:09 PM, John Heidemann jo...@isi.edu wrote:
On Wed, 19 Nov 2014 22:33:14 +, Mankin, Allison wrote:
One small addition. That's an our older tech report, and that link is
now broken.
The current version is TR-693, at
On Fri, Nov 14, 2014 at 10:42 AM, Hosnieh Rafiee
hosnieh.raf...@huawei.com wrote:
Hi,
There is one question from folks. There are some existing approaches that
does not change DNS protocol. There are also new proposal that needs change
on DNS protocol.
For example, my proposal, cga-tsig,
I see two distinct use cases:
1) Web browsing
2) Everything else.
The challenges for (1) are latency, latency and latency.
Shaving 10ms off the response of a browser is very important to the
Web browser team. Folk can argue that it should not be, but that is
the situation.
If we are going to
On Thu, Nov 13, 2014 at 9:41 AM, Paul Wouters p...@nohats.ca wrote:
On Thu, 13 Nov 2014, Hugo Connery wrote:
2. Trust between clients (stubs) and recursive resolvers
Whether the communication to the recursive resolver is encrypted or not
the
resolver itself knows all queries (data and
On Thu, Nov 13, 2014 at 10:29 AM, Joshua Smith jsm...@mail.wvnet.edu wrote:
On Thu, Nov 13, 2014 at 10:24:13AM -1000, Phillip Hallam-Baker wrote:
I see two distinct use cases:
1) Web browsing
2) Everything else.
The challenges for (1) are latency, latency and latency.
Shaving 10ms off
We have three proposals on the table. The question is how to score
them objectively.
One approach would be to ask some party that runs a public DNS
responder which of the protocols they are most likely to support. So
feedback from a Verizon or a Google/8.8.8.8 would be useful.
Another point to
Was anything published?
Sent from my difference engine
On Nov 5, 2014, at 11:04 AM, Ray Bellis ray.bel...@nominet.org.uk wrote:
On 29 Oct 2014, at 18:50, Rubens Kuhl rube...@nic.br wrote:
What constitutes prior art, an idea or implementation of the idea ?
Would the 2007
On Mon, Oct 27, 2014 at 10:45 AM, Paul Hoffman paul.hoff...@vpnc.org
wrote:
On Oct 27, 2014, at 7:36 AM, Hosnieh Rafiee hosnieh.raf...@huawei.com
wrote:
So why do you think it is distraction for the WG that addresses privacy?
I said I thought it was a distraction; discussing it further
On Sun, Oct 26, 2014 at 10:59 AM, Stephane Bortzmeyer bortzme...@nic.fr
wrote:
On Sat, Oct 25, 2014 at 07:35:11PM -0700,
Watson Ladd watsonbl...@gmail.com wrote
a message of 54 lines which said:
Before DPRIV: anyone who owns the DNS box at an ISP can see all
dns-queries go through, and
On Sun, Oct 26, 2014 at 11:09 AM, Paul Hoffman paul.hoff...@vpnc.org
wrote:
On Oct 25, 2014, at 7:35 PM, Watson Ladd watsonbl...@gmail.com wrote:
Before DPRIV: anyone who owns the DNS box at an ISP can see all
dns-queries go through, and know who made them.
After: exactly the same.
Paul,
It is a VeriSign patent, its just being shown on the Google patent serach
engine
On Sat, Oct 25, 2014 at 1:53 PM, Paul Vixie p...@redbarn.org wrote:
Stephane Bortzmeyer bortzme...@nic.fr
Saturday, October 25, 2014 2:24 AM
[Copy to dnsop since the qname minimisation draft is now a
On Sat, Oct 25, 2014 at 10:35 PM, Watson Ladd watsonbl...@gmail.com wrote:
On Sat, Oct 25, 2014 at 7:04 PM, Phillip Hallam-Baker
i...@hallambaker.com wrote:
I think that we have to go back to the original goal, to reduce leakage
of
information so that we only disclose where there is a need
On Thu, Oct 23, 2014 at 5:52 AM, Stephen Farrell stephen.farr...@cs.tcd.ie
wrote:
On 23/10/14 09:04, Jelte Jansen wrote:
To name one: the bigger the shared resolver, the higher the chance the
three letter agencies want and might have their taps there. So IMHO Joe
is simply shifting trust
On Thu, Oct 23, 2014 at 8:08 AM, Stephen Farrell stephen.farr...@cs.tcd.ie
wrote:
I think the answer to this question may be a simple no, don't
but it if were not, it might be something that'd improve privacy
for both stub-recursive and recursive-authoritative without
changes to the DNS, but
On Wed, Oct 22, 2014 at 4:08 PM, Paul Ferguson fergdawgs...@mykolab.com
wrote:
Apologies for the top-post and the length of quoted text, but I wanted
to retain some context of Vixie's remarks.
I would also like to express my concern on the similar issues that Vix
expressed here, but perhaps
On Mon, Oct 20, 2014 at 10:02 AM, Paul Hoffman paul.hoff...@vpnc.org
wrote:
On Oct 20, 2014, at 1:25 AM, Stephane Bortzmeyer bortzme...@nic.fr
wrote:
On Tue, Oct 14, 2014 at 10:04:14AM -0400,
Paul Wouters p...@nohats.ca wrote
a message of 80 lines which said:
I understand your wish
I support adoption and have made some comments to the list already.
I am not sure if we need to eventually publish the document as an RFC
however. In particular I don't think we should try to get that doc perfect
before going on to the real work of building protocols. It should be a
running
, 2014, at 11:59 AM, Phillip Hallam-Baker i...@hallambaker.com
wrote:
Won't we need to move to the dpr...@ietf.org list to start the WG
discussion?
No, the announcement of the WG being formed said that this list is the
WG's list.
Yup, as does the datatracker / charter page.
However, many
On Mon, Oct 13, 2014 at 12:17 PM, Paul Wouters p...@nohats.ca wrote:
On Mon, 13 Oct 2014, Phillip Hallam-Baker wrote:
I think we can maybe clarify the charter a little here.
Protecting the integrity of the messages between the stub and the
resolver should be a requirement for any spec
On Sun, Sep 7, 2014 at 11:00 AM, Andrew Sullivan a...@anvilwalrusden.com
wrote:
On Sun, Sep 07, 2014 at 08:34:33AM -0400, Phillip Hallam-Baker wrote:
Seems that they are intercepting ALL external DNS and sending their
own responses when they see an NXDOMAIN.
Yes, some networks do
On Fri, May 23, 2014 at 9:31 AM, W.C.A. Wijngaards wou...@nlnetlabs.nl wrote:
Thanks for doing this.
hallambaker-dnse: kerberos-like scheme with tickets and keys.
Just to be clear, my DNSE paper is a requirements document that
addresses the space, it is not a proposal. Private-DNS is the
On Fri, Apr 25, 2014 at 10:46 AM, Ralf Weber d...@fl1ger.de wrote:
Moin!
On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy) tire...@cisco.com
wrote:
Any specific reason for the firewalls to permit TCP/53 other than for zone
transfer ?
Wat? Because it is defined in the RFC. RFC1035 may
On Thu, Apr 24, 2014 at 11:19 AM, Joe Abley jab...@hopcount.ca wrote:
On 24 Apr 2014, at 10:53, Phillip Hallam-Baker hal...@gmail.com wrote:
If you want to use TLS with DNS then use port 443. One of the effects
of firewalls is that we now only have three ports for all protocols:
Port 80/UDP
55 matches
Mail list logo