On , Phillip Hallam-Baker wrote:
On Wed, Feb 18, 2015 at 3:26 PM, Hosnieh Rafiee <[email protected]>
wrote:
Does it mean that you want to only go with solution to change DNS
protocol?
You don't want to put any other solution in agenda which doesn't
change much
the DNS protocol such as cga-tsige. The might be more examples.
Best,
Hosnieh
I am not proposing to change the DNS protocol. What I am proposing is
to change the DNS protocol Session layer while keeping the DNS
protocol the same. The VeriSign proposal is essentially the same.
I know people don't like thinking of things in terms of the ISO stack
model (because that particular model is rubbish). But thinking of the
problem in terms of a stack is still really useful.
A DNS client cannot have an encrypted conversation with a DNS server
unless both the client and serve understand the encryption protocol
and know the key. So there is going to have to be a code change at
both sides. The question is what that change should look like.
Despite the name 'TLS', TLS actually works above the TCP layer so it
isn't transport. It is something in between. The Internet does not
follow the ISO stack model but it does have layers between ISO layers
4 and 7.
What changes at each layer is not just the data format, the
identifiers change as well. An Application connects to the Internet
through a DNS name. The connection to the transport layer is an IP
address and port number.
Hi Phillip,
Thanks for the explanation. I haven't reviewed the recent version of
your draft and perhaps I have a wrong impression about this draft. I
think I will receive the answer to some questions about "how does DNS
server and client starts negotiating the security parameters such as
key, algorithm, etc. at the beginning of establishing this secure
channel so called TLS? Does all DNS server needs to have a CA so that
the client doesn't need any pre-config? or DANE? " later after deep
review.
Here is the problem: DNS is not just an information service built on
top of the Internet stack, it is an information service that is being
used in layers 5 and 6. It is certainly being used to map DNS host
names to IP addresses and I would like to see it being used to map DNS
Service (SRV) names to host names.
So the design of any revised DNS client-resolver protocol has to dance
round the bootstrap problem.
I hope in operational side, it is also easy. If one needs almost no
changes on clients and servers and only the implementation and
installation of such protocol, solve all the problem, then it is the
ideal solution but if one needs to think about middle boxes and changes
the configuration of them (one by one) to provide such service, then it
is likely to be not easy.
Thanks,
Best,
Hosnieh
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
