[ Top post ]
What do other think here -- do we want to decide on the discovery and
binding problem first, or do we think that we should choose a document
and start working on that (and possibly add in discovery / binding
later)?
I'd personally like to start working on a document - i think it hel
Warren,
I think that any/all of the documents can add issues and address the two points
that Phillip raised, so I agree with your
no-hats statement and I support the starting of a call for adoption, rather
than discussing the points (and others) in vacuo.
FYI - we are about to update the dns-o
On Thu 2015-04-09 10:36:17 -0400, Phillip Hallam-Baker wrote:
> As I see it, there are two sub-problems:
>
> 1) How does a client discover and establish a binding to a DPRIV service?
> 2) What transport/sessions(s) are supported for queries?
>
> Before answering either, I think it is pretty clear t
On Mon, 13 Apr 2015, Daniel Kahn Gillmor wrote:
i think most people consider DHCP configuration to be at best minimally
useful for DPRIVE -- it leaves you vulnerable at network connection
time, but then protects you against subsequent attacks. *shrug*
If you have an attacker on the last mile,
Hi Paul,
I'm not sure if your point was meant to relate only to DHCP
setting the DNS server IP, but if not then I have a question...
On 13/04/15 21:21, Paul Wouters wrote:
> If you have an attacker on the last mile, there is nothing you can do.
> Passive only protection against the last mile is
On Mon, 13 Apr 2015, Stephen Farrell wrote:
I'm not sure if your point was meant to relate only to DHCP
setting the DNS server IP, but if not then I have a question...
Nope.
On 13/04/15 21:21, Paul Wouters wrote:
If you have an attacker on the last mile, there is nothing you can do.
Passive
Hi,
Just for information, what are the technical reasons IPsec has not been
considered at all for providing DNS privacy.
The use of IPsec could re-use existing extensions like NAT traversal,
compatibility with UDP/TCP, resilience to change of IP addresses... and
this without creating new extensio
On Mon, 13 Apr 2015, Daniel Migault wrote:
Just for information, what are the technical reasons IPsec has not been
considered at all for providing DNS privacy.
People can already use an IPsec VPN and a remote DNS server without
anything new from IETF?
I think additionally, IPsec has a higher
On Mon, Apr 13, 2015 at 4:13 PM, Daniel Kahn Gillmor
wrote:
> On Thu 2015-04-09 10:36:17 -0400, Phillip Hallam-Baker wrote:
>> As I see it, there are two sub-problems:
>>
>> 1) How does a client discover and establish a binding to a DPRIV service?
>> 2) What transport/sessions(s) are supported for
Hi Paul,
Thanks for the response. I am just initiating a new tread to avoid mixing
conversations.
On Mon, Apr 13, 2015 at 5:44 PM, Paul Wouters wrote:
> On Mon, 13 Apr 2015, Daniel Migault wrote:
>
> Just for information, what are the technical reasons IPsec has not been
>> considered at all
On Mon, 13 Apr 2015, Daniel Migault wrote:
Just for information, what are the technical reasons IPsec has not
been considered at all for providing DNS
privacy.
People can already use an IPsec VPN and a remote DNS server without
anything new from IETF?
I do
On Tue, 14 Apr 2015, Stephen Farrell wrote:
I wonder if the last mile concept is what we really want.
Hmm, you are right. I guess we use "last mile" as a short hand.
The two situations really are:
1) a remote DNS server for which we have a public key and can
authenticate and encrypt with.
2)
Hi, all,
Then why not consider the DHCP?
DHCP can support client authentication and can be used to configure the RS key
on the authenticated client.
Do you think this will help?
Zhiwei Yan
2015-04-14
Zhiwei Yan
发件人: Daniel Migault
发送时间: 2015-04-14 07:20:47
收件人: Paul Wouters
抄送: dns-pr
On Tue, 14 Apr 2015, Zhiwei Yan wrote:
Hi, all,
Then why not consider the DHCP?
DHCP can support client authentication and can be used to configure the RS key
on the authenticated client.
Do you think this will help?
How do you know the DHCP server is not a rogue attacker?
How does the syste
RFC 3118 provides a scheme for this issue:
http://www.rfc-base.org/txt/rfc-3118.txt
2015-04-14
Zhiwei Yan
发件人: Paul Wouters
发送时间: 2015-04-14 11:04:58
收件人: Zhiwei Yan
抄送: dns-privacy
主题: Re: [dns-privacy] Considering DHCP
On Tue, 14 Apr 2015, Zhiwei Yan wrote:
> Hi, all,
> Then w
On 4/13/15 8:02 PM, Zhiwei Yan wrote:
> RFC 3118 provides a scheme for this issue:
> http://www.rfc-base.org/txt/rfc-3118.txt
Authentication addresses the "who are you" question (sort
of) but not the "Can I trust you?" one. If you're sitting
in an airport terminal and someone offers you an IP add
[ rearranging for chronological sanity ]
On Tue 2015-04-14 00:02:24 -0400, Zhiwei Yan wrote:
> [ Paul Wouters wrote: ]
>> On Tue, 14 Apr 2015, Zhiwei Yan wrote:
>>> Then why not consider the DHCP?
>>> DHCP can support client authentication and can be used to configure the RS
>>> key on the authen
17 matches
Mail list logo
