Re: [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Paul Hoffman
is invalid). /snip Sorry, you are right, and I had misread that. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

2014-08-18 Thread Paul Hoffman
Greetings. I created a new proposal on a simple way to do DNS over TLS between stubs and resolvers. Comments are appreciated. --Paul Hoffman A new version of I-D, draft-hoffman-dns-tls-stub-00.txt has been successfully submitted by Paul Hoffman and posted to the IETF repository. Name

Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

2014-08-19 Thread Paul Hoffman
[[ Combined PaulW's and Jacob's responses ]] On Aug 19, 2014, at 2:01 PM, Paul Wouters p...@nohats.ca wrote: On Tue, 19 Aug 2014, Paul Hoffman wrote: I wonder this 'MUST' may be too strong (or I don't fully understand the sense of this MUST). Since the upstream recursive resolver may

Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

2014-08-20 Thread Paul Hoffman
On Aug 20, 2014, at 6:30 AM, Jacob Appelbaum ja...@appelbaum.net wrote: On 8/19/14, Paul Hoffman paul.hoff...@vpnc.org wrote: [[ Combined PaulW's and Jacob's responses ]] On Aug 19, 2014, at 2:01 PM, Paul Wouters p...@nohats.ca wrote: On Tue, 19 Aug 2014, Paul Hoffman wrote: I wonder

[dns-privacy] Authenticating the resolver

2014-08-27 Thread Paul Hoffman
like one egg that keeps changing chickens. Please look at the draft again; I don't think it is as bad as you are saying. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Authenticating the resolver

2014-08-29 Thread Paul Hoffman
On Aug 29, 2014, at 5:30 AM, Wes Hardaker wjh...@hardakers.net wrote: Paul Hoffman paul.hoff...@vpnc.org writes: On Aug 27, 2014, at 12:46 PM, Wes Hardaker wjh...@hardakers.net wrote: But what's the solution? How do we authenticate that resolver? PKIX won't help us, as there is no name

Re: [dns-privacy] WG Review: DNS PRIVate Exchange (dprive)

2014-10-12 Thread Paul Hoffman
different privacy properties. Having a document that catalogs these (which is different than what is in the problem statement) would be useful for both the WG and the larger community. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https

Re: [dns-privacy] DPRIVE is officially a WG.

2014-10-18 Thread Paul Hoffman
On Oct 18, 2014, at 8:58 AM, Warren Kumari war...@kumari.net wrote: On Fri, Oct 17, 2014 at 5:10 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 17, 2014, at 11:59 AM, Phillip Hallam-Baker i...@hallambaker.com wrote: Won't we need to move to the dpr...@ietf.org list to start the WG

Re: [dns-privacy] DNScurve limits (Was: Agenda time.

2014-10-20 Thread Paul Hoffman
://dnscrypt.org/. It is actually deployed http://www.opendns.com/about/innovations/dnscrypt/ And, after many attempts by people here, it is still undocumented. The is a bit of a protocol description, but it is fairly incomprehensible, other than we're using great crypto!. --Paul Hoffman

Re: [dns-privacy] DNScurve limits (Was: Agenda time.

2014-10-21 Thread Paul Hoffman
On Oct 21, 2014, at 2:18 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Mon, Oct 20, 2014 at 07:02:01AM -0700, Paul Hoffman paul.hoff...@vpnc.org wrote a message of 23 lines which said: And, after many attempts by people here, it is still undocumented. The is a bit of a protocol

Re: [dns-privacy] A pool is not an onion

2014-10-26 Thread Paul Hoffman
. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] What about CGA-TSIG as a solution for DNS privacy?

2014-10-27 Thread Paul Hoffman
. What do you think? It is a distraction for this WG and should not be considered. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] What about CGA-TSIG as a solution for DNS privacy?

2014-10-27 Thread Paul Hoffman
On Oct 27, 2014, at 7:36 AM, Hosnieh Rafiee hosnieh.raf...@huawei.com wrote: So why do you think it is distraction for the WG that addresses privacy? I said I thought it was a distraction; discussing it further would be more of a distraction. --Paul Hoffman

Re: [dns-privacy] Verisign patent disclosure

2014-10-28 Thread Paul Hoffman
On Oct 28, 2014, at 4:48 AM, Brian Haberman br...@innovationslab.net wrote: https://datatracker.ietf.org/ipr/2469/ Being picky about something that is important: that is a disclosure of a *patent application*, not a *patent*. --Paul Hoffman ___ dns

Re: [dns-privacy] [dprive-problem-statement] Clearly marking privacy considerations?

2014-11-03 Thread Paul Hoffman
: exposing source IP addresses of DNS queries raises privacy risks Advice? My preference is not to have three categories, but just one: problems. Problems are issues, and problems have considerations, but what the WG needs is a list of problems that it needs to try to solve. --Paul Hoffman

Re: [dns-privacy] Verisign patent disclosure

2014-11-05 Thread Paul Hoffman
I moved the discussion to the dnsop mailing list because it is that WG, not this one, which is discussing the draft-ietf-dnsop-qname-minimisation draft. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman

Re: [dns-privacy] DNS over TLS and framing

2014-11-13 Thread Paul Hoffman
with the two-octet length at the beginning of each message, as described in Section 4.2.2 of RFC 1035. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] DNS over TLS

2014-11-19 Thread Paul Hoffman
done before the first web page request), the speed of the request is the same for an open TCP connection as it is for a new UDP connection. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns

Re: [dns-privacy] Moving things along...

2015-02-18 Thread Paul Hoffman
, but personally, I think both are less likely to succeed than hzhwm-dprive-start-tls-for-dns. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Review of dprive-problem-statement-01

2015-02-19 Thread Paul Hoffman
.) There is precedent for it: RFC 4357 has normative references to documents only in Russian. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] A depraved test

2015-01-12 Thread Paul Hoffman
that doesn't work? --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] draft-wijngaards-dnsop-confidentialdns and DDoS

2015-03-19 Thread Paul Hoffman
On Mar 19, 2015, at 8:49 AM, W.C.A. Wijngaards wou...@nlnetlabs.nl wrote: On 14/03/15 01:19, Paul Hoffman wrote: Greetings again. I mentioned this to Wouters a while ago, before the DPRIVE WG started, but it is worth bringing up here if the WG is considering this for widespread deployment

Re: [dns-privacy] draft-wijngaards-dnsop-confidentialdns and DDoS

2015-03-19 Thread Paul Hoffman
On Mar 19, 2015, at 7:00 PM, Watson Ladd watsonbl...@gmail.com wrote: On Thu, Mar 19, 2015 at 5:59 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Mar 19, 2015, at 8:49 AM, W.C.A. Wijngaards wou...@nlnetlabs.nl wrote: On 14/03/15 01:19, Paul Hoffman wrote: Greetings again. I mentioned

[dns-privacy] draft-wijngaards-dnsop-confidentialdns and DDoS

2015-03-13 Thread Paul Hoffman
developed for secure web servers comes to secure DNS servers for free. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] tcpinc ?

2015-03-02 Thread Paul Hoffman
and could make choices based on that. From the stub resolver's point of view, TCPINC is no different than running over an IPsec tunnel. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Devote time to draft-rafiee-intarea-cga-tsig? (Was: Moving things along...

2015-02-27 Thread Paul Hoffman
it to be understandable to typical readers. I'm happy to read the Introduction section of further revisions and, if one eventually is clear, to comment then. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns

Re: [dns-privacy] Moving things along...

2015-02-26 Thread Paul Hoffman
On Feb 25, 2015, at 4:11 PM, Warren Kumari war...@kumari.net wrote: Are you interested on working on CGA-TSIGe and would you like to devote some (10 minutes) of the meeting time in Dallas to a presentation / discussion on CGA-TSIGe? No. ___

Re: [dns-privacy] Call for Adoptions on the 3 documents.

2015-04-19 Thread Paul Hoffman
that. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] DPRIVE over UDP or TCP

2015-04-27 Thread Paul Hoffman
in the anycast pool. There is a third solution to the anycast problem, which is what is done today in all systems that use anycast: assume that it happens so rarely, that a rare reset is just fine. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org

Re: [dns-privacy] DPRIVE over UDP or TCP

2015-05-01 Thread Paul Hoffman
. Is there research that shows differently? --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] How many mechanisms in draft-ietf-dprive-start-tls-for-dns?

2015-05-13 Thread Paul Hoffman
On May 13, 2015, at 3:52 AM, Simon Josefsson si...@josefsson.org wrote: Paul Hoffman paul.hoff...@vpnc.org writes: Having two parallel mechanisms for a latency-sensitive protocol leads to the necessity of doing a happy eyeballs approach in implementation to decrease latency. That's only

Re: [dns-privacy] I-D Action: draft-ietf-dprive-start-tls-for-dns-00.txt

2015-05-12 Thread Paul Hoffman
that middle boxes that interfer with DNS traffic should be considered part of the problem, not part of the solution. Fully agree, and the draft says nothing about them being part of the solution. --Paul Hoffman signature.asc Description: Message signed with OpenPGP using GPGMail

Re: [dns-privacy] Considering IPsec

2015-04-14 Thread Paul Hoffman
choice to use TLS. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] privacy respect... ICANN!!

2015-06-27 Thread Paul Hoffman
in Working Group Last Call in dnsop). +1. If you want to have a constructive discussion about this topic that has some chance of changing the outcome, you should probably do it in ICANN, not in an unrelated WG in the IETF. --Paul Hoffman ___ dns-privacy

Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls

2015-05-25 Thread Paul Hoffman
? It would be good to see numbers if this is the case. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding

2015-07-29 Thread Paul Hoffman
needed. But I understand the problem of we don't even have that now and we don't know when we will have it. The draft in question is trivial to implement, but configuring it (with the length per query or response) seems impossible without adding large amounts. --Paul Hoffman

Re: [dns-privacy] Direction of draft-mayrhofer-edns0-padding

2015-07-29 Thread Paul Hoffman
something wasteful now. That would be fine. What I worry about is that people will say we can pad; people tell us to pad liberally; we will pad liberally. It would be great for the spec to say probably don't do this much until more research has been done. --Paul Hoffman

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-23 Thread Paul Hoffman
ree on all counts. If the WG wants to move both -TLS and -DTLS to the IETF, it makes no sense at all to have them have different crypto properties. I don't care if the answer is "harmonize each before finishing" or "harmonize them by reference to a third document". --Paul Hof

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Paul Hoffman
on mentioning the issues raised about waiting for other documents before moving forward in my shepherd notes. Just to be clear: do the chairs read the rough consensus to be that the draft needs to remove Sections 3.2 and all of Section 4, and move them to a new document? --Paul Hoffman

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Paul Hoffman
On 13 Nov 2015, at 8:28, Tim Wicinski wrote: On 11/13/15 8:22 AM, Paul Hoffman wrote: Just to be clear: do the chairs read the rough consensus to be that the draft needs to remove Sections 3.2 and all of Section 4, and move them to a new document? --Paul Hoffman Yes, I do (once I

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Paul Hoffman
and point to a future document: that will never fly with the IESG (and nor should it). --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Please review documents...

2015-09-30 Thread Paul Hoffman
objection to using both that I'm missing? Your proposal would restrict initial deployment to clients and servers whose TLS stack has ALPN. Instead of doing this, we could gate the next version on ALPN instead, causing more early deployment. --Paul Hoffman

Re: [dns-privacy] Review of draft-ietf-dprive-dtls-and-tls-profiles-03

2016-07-24 Thread Paul Hoffman
On 24 Jul 2016, at 11:43, Stephane Bortzmeyer wrote: On Sat, Jul 23, 2016 at 08:51:43AM -0700, Paul Hoffman <paul.hoff...@vpnc.org> wrote a message of 46 lines which said: Proposed replacement: [...] The negative implications of the two types of privacy are so radically dif

Re: [dns-privacy] RE I-D Action: draft-ietf-dprive-dnsodtls-08.txt

2016-08-10 Thread Paul Hoffman
there waiting for TLS 1.3 to finish. I think SAAG could take this on, or maybe spin up a short, narrow WG for it. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] Review of draft-ietf-dprive-dtls-and-tls-profiles-03

2016-07-23 Thread Paul Hoffman
This document seems ready for WG Last Call. The comments I have hear can be dealt with before or during WG Last Call. --Paul Hoffman = The following text from section 4.2 still seems wrong: Since Strict Privacy provides the strongest privacy guarantees it is preferable

Re: [dns-privacy] DNS over TLS for zone transfers?

2017-01-17 Thread Paul Hoffman
tocol", as we have already seen in this WG. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-dtls-and-tls-profiles-08.txt

2017-01-18 Thread Paul Hoffman
Thanks! This version fixes the problem I brought up in WG Last Call, and I like the new table as well. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dnsodtls.

2016-08-21 Thread Paul Hoffman
state is kept in the kernel" vs. "session state is kept in the application stack" vs. DoS-by-CPU-exhaustion. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

2016-10-07 Thread Paul Hoffman
On 7 Oct 2016, at 2:48, Stephane Bortzmeyer wrote: The document seems to use "X.509" and "PKIX" as synonyms. Is it really the case? No. PKIX is an extension of X.509 (but almost no one uses unextended X.509 certs). Changing them all to PKIX is probably be

Re: [dns-privacy] After the DNS-over-DTLS WGLC...

2016-08-18 Thread Paul Hoffman
useful. The privacy advantages are obvious, but the various types of costs are important too. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: configuration

2016-10-26 Thread Paul Hoffman
On 26 Oct 2016, at 6:24, Sara Dickinson wrote: On 23 Oct 2016, at 00:26, Paul Hoffman <paul.hoff...@vpnc.org> wrote: Greetings. Someone reading this document for the first time might not understand where the DNS name that is being discussed in the main body of the document was

Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

2016-10-26 Thread Paul Hoffman
this specific case, it's more "chicken or egg" than "bootstrap" because you actually do first use the unsecured DNS. Maybe just "Startup" for the title and leave bootstrap in the body text (which does describe the problem quite well). --Paul Hoffman __

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy

2016-10-27 Thread Paul Hoffman
would be willing to go to cleartext? For other than crypto experts (who are likely to only want Strict), how would weak TLS be worse than cleartext? It feels like this is adding a layer of operational complexity for an audience who probably doesn't exist.

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy

2016-10-28 Thread Paul Hoffman
On 28 Oct 2016, at 3:21, Sara Dickinson wrote: On 27 Oct 2016, at 19:28, Paul Hoffman <paul.hoff...@vpnc.org> wrote: I will admit that I thought there was just one bottom level of OS in our discussion, cleartext. If there are two (cleartext; no communication), the document need

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy

2016-10-28 Thread Paul Hoffman
. In TLS, it's not the server that tries to be secure, it's the client. The server offers a bunch of stuff, but only once. The client picks, but only once. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailma

[dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: configuration

2016-10-22 Thread Paul Hoffman
too late. The document might be much more approachable if Section 8 was moved to immediately after Section 3, and if it was re-titled "Configuration of the Domain Name for Verification". --Paul Hoffman ___ dns-privacy mailing list dns-pr

[dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: SPKI pinning

2016-10-22 Thread Paul Hoffman
tion 2). Also remove the bullet about raw public keys in Section 11, which seems completely out-of-place in a document about DNS name matching. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

2016-10-22 Thread Paul Hoffman
nt. Proposal: remove "[NOTE:" and "]". Section 11: The first paragraph covers multiple topics; it could be broken after second sentence. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Draft minutes form IETF97

2016-11-25 Thread Paul Hoffman
for the Profiles discussion doesn't reflect the mic interactions on the open topics that Sara brought up. In specific, there seemed to be general agreement on leaving the fallback terminology alone, and on removing hard-fail from the options. --Paul Hoffman

Re: [dns-privacy] Call for Adoption: draft-mayrhofer-dprive-padding-profile

2016-11-17 Thread Paul Hoffman
I support the adoption of this document, knowing that there is still a bunch of research that needs to be done before we can specify good profiles. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman

Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

2016-10-27 Thread Paul Hoffman
On 27 Oct 2016, at 7:35, Sara Dickinson wrote: On 27 Oct 2016, at 15:06, Paul Hoffman <paul.hoff...@vpnc.org> wrote: On 27 Oct 2016, at 5:35, Sara Dickinson wrote: That would be good, yes. But "obtained" still sounds like it might come from the DNS itself, not from confi

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: SPKI pinning

2016-10-27 Thread Paul Hoffman
On 27 Oct 2016, at 5:35, Sara Dickinson wrote: On 23 Oct 2016, at 00:25, Paul Hoffman <paul.hoff...@vpnc.org> wrote: Greetings. The draft can't make up its mind about SPKI pinning. In Section 3, it says that SPKI-pinset-based authentication "is out of scope", but then im

Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy

2016-10-27 Thread Paul Hoffman
On 27 Oct 2016, at 6:45, Sara Dickinson wrote: On 23 Oct 2016, at 00:26, Paul Hoffman <paul.hoff...@vpnc.org> wrote: Greetings. The tone in Section 4 about strict privacy seems completely wrong to me. I recognize that there some users really want to be able to configure strict p

Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

2016-10-27 Thread Paul Hoffman
ncorrectly) that it has to only come from configuration or DHCP. Do you prefer acquired/determine/derive? No, because none of those sound like "gotten locally". --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-13 Thread Paul Hoffman
n to the name server. The draft drifts towards that, but I don't think it is the right problem statement. Instead, we should be going towards "encrypt wherever possible, but don't limit yourself if you can't." --Paul Hoffman ___ dns-privacy mai

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

2016-12-14 Thread Paul Hoffman
. DNScurve's method of having he key in a DNS label is "CGA-like DNS" to me. I happen to like it a lot. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-dtls-and-tls-profiles-10.txt

2017-07-06 Thread Paul Hoffman
The changes in -10 all seem fine, and I didn't find any that changed the meaning of what the WG approved earlier. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] I-D Action: draft-ietf-dprive-padding-policy-01.txt

2017-07-06 Thread Paul Hoffman
these recommendations - I will subsequently update the draft based on the outcome of those discussions. The new wording seems fine to me. I know we'll get people complaining about how long the suggested defaults are, but they are just suggested defaults, not demands. --Paul Hoffman

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-00.txt]

2017-04-27 Thread Paul Hoffman
discussed here: the first two bytes are *supposed* to be non-predictable. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] draft-hoffman-dns-over-https

2017-05-03 Thread Paul Hoffman
the draft is more about "foo over HTTP" (which is the purview of DISPATCH) than "DNS in private", even though the latter is assured by the protocol. --Paul Hoffman Name: draft-hoffman-dns-over-https Revision: 00 Title: DNS Queries over HTTPS Docume

Re: [dns-privacy] dprive (bar) BoF?

2017-11-06 Thread Paul Hoffman
the evening after the Plenary? That's probably the best evening and I suspect we can find later-night food after the call. --Paul HOffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

2017-10-30 Thread Paul Hoffman
o the third bullet *but not the second* is a very obscure corner case. Having this document say, in essence, "you don't get opportunistic encryption unless you add a DNSSEC validation stack" feels like a regression to the original goals of this WG. --Paul Hoffman

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

2017-10-30 Thread Paul Hoffman
rder to feel that we offered the best security, requiring DNSSEC on the client is a good way to do that. I would still prefer more ubiquitous encryption. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] Still interested in recursive-to-authoritative

2018-05-16 Thread Paul Hoffman
While we wait for the charter update, I'd still like to find out who is interested in pursuing draft-bortzmeyer-dprive-resolver-to-auth. Personally, I think it is a good start on an important topic, but I don't hear others supporting it on the list... --Paul Hoffman

Re: [dns-privacy] IETF 102 Agenda topics

2018-06-11 Thread Paul Hoffman
Given the large number of responses to the thread about DNS-over-TLS for recursive-to-authoritative, I would hope that this topic would have a significant part of the meeting. The biggest open topic is authentication of the server. --Paul Hoffman

Re: [dns-privacy] IETF 102 Agenda topics

2018-06-11 Thread Paul Hoffman
on a thread about the draft, not a thread about the agenda topics. :-) --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] [Ext] Re: [Editorial Errata Reported] RFC7858 (5375)

2018-06-01 Thread Paul Hoffman
they changed it. Either way, is should be marked as Verified. --Paul Hoffman signature.asc Description: Message signed with OpenPGP ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] WG Last Call: draft-ietf-dprive-padding-policy-03.txt

2018-01-29 Thread Paul Hoffman
On 29 Jan 2018, at 7:49, Stephane Bortzmeyer wrote: > * I would prefer 4.1 "no padding" and 4.2 "fixed length padding" to be > moved to an appendix to emphasize they are mentioned just for > completeness, not for actual implementation. +1 to t

Re: [dns-privacy] Resolver to authoritative discussion guidance

2018-08-01 Thread Paul Hoffman
. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Recursive Resolver Operator Perspective

2018-07-25 Thread Paul Hoffman
On 25 Jul 2018, at 18:07, Paul Wouters wrote: On Jul 25, 2018, at 12:37, Paul Hoffman wrote: Some resolver operators have recently spoken of a new use case: giving assurance of results in unsigned zones, and assurance of child NS and glue records in signed zones. This use case

Re: [dns-privacy] User Perspective

2018-07-25 Thread Paul Hoffman
assurance of results in unsigned zones, and assurance of child NS and glue records in signed zones. This use case is not about privacy. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Recursive Resolver Operator Perspective

2018-07-25 Thread Paul Hoffman
resolver operators have recently spoken of a new use case: giving assurance of results in unsigned zones, and assurance of child NS and glue records in signed zones. This use case is not about privacy. --Paul Hoffman ___ dns-privacy mailing list dns

Re: [dns-privacy] Call for Adoption: draft-dickinson-dprive-bcp-op

2018-07-18 Thread Paul Hoffman
Yes, please! --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Potential re-charter text

2018-04-05 Thread Paul Hoffman
The new charter text seems fine, even if we don't actually do all four work items. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Maybe a new URI scheme dnss: ?

2018-04-12 Thread Paul Hoffman
with him on a proposal based on the discussion on the list. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

[dns-privacy] Maybe a new URI scheme dnss: ?

2018-04-12 Thread Paul Hoffman
uot;, akin to https: for "HTTP over TLS". Does anyone have any objection to me starting this work? Or has anyone already started it but not moved it forward in the process? --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https:/

Re: [dns-privacy] Maybe a new URI scheme dnss: ?

2018-04-17 Thread Paul Hoffman
. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Call for minute takers and Jabber scribes

2018-03-16 Thread Paul Hoffman
I can do minutes, as long as you like wordy and possibly TMI. --Paul Hoffman ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] [Ext] Rough Agenda for IETF103

2018-10-22 Thread Paul Hoffman
aterials/agenda-103-dprive-00 Does this mean that there will be no discussion of draft-ietf-dprive-bcp-op? --Paul Hoffman smime.p7s Description: S/MIME cryptographic signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailm

Re: [dns-privacy] [Ext] Rough Agenda for IETF103

2018-10-23 Thread Paul Hoffman
On Oct 23, 2018, at 7:06 AM, Brian Haberman wrote: > > Hi Paul, > > On 10/22/18 4:37 PM, Paul Hoffman wrote: >> On Oct 22, 2018, at 1:12 PM, Tim Wicinski wrote: >>> Here's a rough agenda for IETF103. We're going to follow through on the >>> discussio

Re: [dns-privacy] [Ext] Authoritative Server Operator Perspective

2018-10-09 Thread Paul Hoffman
want encrypted responses how to send them. --Paul Hoffman smime.p7s Description: S/MIME cryptographic signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] [Ext] Recursive Resolver Operator Perspective

2018-10-02 Thread Paul Hoffman
On Oct 2, 2018, at 3:12 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> >> I do not have a scenario where the client (the resolver in this case) >> needs downgrade protection for privacy. > > In that case there's no need to worry about authentication at a

Re: [dns-privacy] [Ext] Recursive Resolver Operator Perspective

2018-10-02 Thread Paul Hoffman
On Oct 2, 2018, at 11:26 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> On Oct 2, 2018, at 3:12 AM, Tony Finch wrote: >>> Paul Hoffman wrote: >>>> >>>> I do not have a scenario where the client (the resolver in this case) >>>> need

Re: [dns-privacy] [Ext] Recursive Resolver Operator Perspective

2018-10-01 Thread Paul Hoffman
On Oct 1, 2018, at 8:50 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> >> During earlier discussions of opportunistic encryption in the IETF, >> attempted-but-not-required authentication was strongly preferred over >> "don't even attempt to authenti

Re: [dns-privacy] [Ext] Authoritative Server Operator Perspective

2018-10-10 Thread Paul Hoffman
> On Oct 10, 2018, at 2:55 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> >> 1) An interoperable specification for how to encrypt messages >> 1a) If it is layer 4, it is likely to be TLS >> 1b) If it is layer 7, it is likely to be CMS >> >> 2)

Re: [dns-privacy] [Ext] Recursive Resolver Operator Perspective

2018-10-01 Thread Paul Hoffman
On Oct 1, 2018, at 10:49 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> On Oct 1, 2018, at 8:50 AM, Tony Finch wrote: >>> >>> Paul Hoffman wrote: >>>> >>>> During earlier discussions of opportunistic encryption in the IETF, >&

Re: [dns-privacy] [Ext] Recursive Resolver Operator Perspective

2018-10-01 Thread Paul Hoffman
IETF, attempted-but-not-required authentication was strongly preferred over "don't even attempt to authenticate". --Paul Hoffman smime.p7s Description: S/MIME cryptographic signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] User Perspective

2018-09-25 Thread Paul Hoffman
traffic, and some resolver operators want to thwart that for the benefit of their customers. --Paul Hoffman smime.p7s Description: S/MIME cryptographic signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Authenticating DoT nameservers for insecure delegations

2018-09-28 Thread Paul Hoffman
the web PKI, and trusting CAs for nameservers could be made a lot better than the current CABForum rules. --Paul Hoffman smime.p7s Description: S/MIME cryptographic signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy