On Thu, Nov 28, 2013 at 11:10:39AM -0500,
Paul Wouters wrote
a message of 58 lines which said:
> Additionally, encrypting to authoritative servers seems to not make
> _that_ much sense to me. Remember, when I need to know
> www.nohats.ca, I already tell the .ca nameserver the entire QNAME
> be
: dnsop@ietf.org WG
Subject: Re: [DNSOP] confidentialdns draft
I think the draft is very unclear on this (DNSSEC) point -
at least I don't find this statement about the ENCRYPT RR being signed by
with the private key of example.com.
Anyway : a RRSIG RR holds the name of the domain that sign
I think the draft is very unclear on this (DNSSEC) point -
at least I don't find this statement about the ENCRYPT RR being signed by
with the private key of example.com.
Anyway : a RRSIG RR holds the name of the domain that signed in clear text.
Kind regards,
Marc
On Fri, Nov 29, 2013 at 10:40
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Marc,
In the draft it says to store the ENCRYPT RR in this case at
ns.example.com. It would then be signed with the ZSK DNSKEY for
example.com, with normal DNSSEC chain of trust.
But again, the authenticated operation is not the main aim of this
Hello,
(a reaction on second paragraph of 4. Authenticated Operation, only)
That paragraph states that the ENCRYPT RR can be signed by DNSSEC.
However, I don't think is possible !
A signature is the hash of DNS-data-sent, encrypted with the private key.
But in this case : private key of who ?
!!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Paul,
So this is another solution, which I want out there in the solution
space because it is stateless. And there are many things to consider ...
Sending the qname as the zone name in plaintext is not a good idea.
For hop-by-hop encryption there
On Thu, 28 Nov 2013, Glen Wiley wrote:
Asking the LAN's resolver for a specific record (type ENCRYPT to QNAME
".") seems a bit dangerous. This is of course completely MITM-able, but
I see no real other way to trust something fundamentally untrustworthy. So
that's okay. But I fear too many of t
On Nov 28, 2013, at 11:10 AM, Paul Wouters wrote:
> On Thu, 28 Nov 2013, W.C.A. Wijngaards wrote:
>
>> I also heard that this is the place to discuss DNS privacy.
>
> This is a generic problem people keep mentioning. We need some new WG
> for DNS extensions that's not operations. i was told thi
On Thu, 28 Nov 2013, W.C.A. Wijngaards wrote:
I also heard that this is the place to discuss DNS privacy.
This is a generic problem people keep mentioning. We need some new WG
for DNS extensions that's not operations. i was told this was going to
be discussed at dnsops at ietf88 , but it did n
ill happen if this
> methood is choesn.
>
> Guangqing Deng
> CNNIC
>
> From: W.C.A. Wijngaards
> Date: 2013-11-28 21:25
> To: dnsop
> Subject: [DNSOP] confidentialdns draft
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> I also heard
client have to support
encrypt algorithms, which is not a good thing for DNS system. Maybe more
considerations are needed to figure out what will happen if this methood is
choesn.
Guangqing Deng
CNNIC
From: W.C.A. Wijngaards
Date: 2013-11-28 21:25
To: dnsop
Subject: [DNSOP] confidentialdns
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I also heard that this is the place to discuss DNS privacy.
This draft is a protocol, and represents an (interesting) point in the
solution space. I would refer to Borzmeyer's draft and Koch's draft
for problem space analysis.
http://tools.ietf
12 matches
Mail list logo
