Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-28 Thread Andrew Sullivan
On Fri, Apr 25, 2014 at 02:22:03PM +, Tirumaleswar Reddy (tireddy) wrote: > > Any specific reason for the firewalls to permit TCP/53 other than for zone > transfer ? "Because DNS uses TCP in lots of cases, and always has"? Anyone who is still configuring firewalls to deny TCP/53 as a matter

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-25 Thread Joe Abley
On 25 Apr 2014, at 11:14, Phillip Hallam-Baker wrote: > The existing DNS works as far as the people running their firewalls > are concerned. The failure of TCP fallback in practice has been an > understood problem for 20+ years. Understood, perhaps; measured and understood, not so much. What i

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-25 Thread Tirumaleswar Reddy (tireddy)
> -Original Message- > From: Ralf Weber [mailto:d...@fl1ger.de] > Sent: Thursday, April 24, 2014 7:22 PM > To: Tirumaleswar Reddy (tireddy) > Cc: Nicholas Weaver; Paul Wouters; dnsop; dns-priv...@ietf.org > Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD) > > Moin! > > > On 24.04

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-25 Thread Phillip Hallam-Baker
On Fri, Apr 25, 2014 at 10:46 AM, Ralf Weber wrote: > Moin! > > On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy) > wrote: >> Any specific reason for the firewalls to permit TCP/53 other than for zone >> transfer ? > Wat? Because it is defined in the RFC. RFC1035 may not been totally clear

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-25 Thread Ralf Weber
Moin! On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy) wrote: > Any specific reason for the firewalls to permit TCP/53 other than for zone > transfer ? Wat? Because it is defined in the RFC. RFC1035 may not been totally clear on that. IMHO the language is strong enough, but if not there

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-25 Thread Tony Finch
Tirumaleswar Reddy (tireddy) wrote: > > Any specific reason for the firewalls to permit TCP/53 other than for zone > transfer ? RFC 5966 Tony. -- f.anthony.n.finchhttp://dotat.at/ South Utsire, Northeast Forties: Easterly 4 or 5, increasing 6 or 7. Slight or moderate. Fair. Good.

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Mark Andrews
If you want a response "QR" needs to be zero. Note the "*" which indicates the packet is a response (QR=1). In message <995cf19c-6e1e-4282-bea1-9991214e6...@vpnc.org>, Paul Hoffman writes: > On Apr 23, 2014, at 11:11 PM, Stephane Bortzmeyer wrote: > > > On Wed, Apr 23, 2014 at 09:16:29AM -0700

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread John Heidemann
On Thu, 24 Apr 2014 11:32:12 -0400, Phillip Hallam-Baker wrote: >... > >For me the idea of putting TLS traffic over the same port as non TLS >traffic without careful attention to how the upgrade is achieved would >be 'butchering the protocol'. Changing the port number to one that is >known to work

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread John Levine
>Thanks, this is the kind of data I was looking for. The draft seems to assume >that the server will give an error, not no response. I'd think no response would be pretty much mandatory these days to avoid being a DDoS reflector. This is also consistent with rants I've seen about EDNS0, in wh

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Tirumaleswar Reddy (tireddy)
> -Original Message- > From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Nicholas > Weaver > Sent: Thursday, April 24, 2014 1:58 AM > To: Paul Wouters > Cc: dnsop; Nicholas Weaver; dns-priv...@ietf.org > Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD) > > > On

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Tirumaleswar Reddy (tireddy)
> -Original Message- > From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Paul > Hoffman > Sent: Thursday, April 24, 2014 7:49 PM > To: Stephane Bortzmeyer > Cc: dns-priv...@ietf.org; dnsop; Dan Wing (dwing) > Subject: Re: [dns-privacy] DNS over DTLS (DNSoD) > > On Apr 23

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Paul Hoffman
On Apr 24, 2014, at 8:39 AM, Tirumaleswar Reddy (tireddy) wrote: > No, the draft states that the DNS server will send no response. Please refer > to section 5 of the draft > http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls-00#section-5 > > > > After performing the above steps, the ho

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Phillip Hallam-Baker
On Thu, Apr 24, 2014 at 11:19 AM, Joe Abley wrote: > > On 24 Apr 2014, at 10:53, Phillip Hallam-Baker wrote: > >> If you want to use TLS with DNS then use port 443. One of the effects >> of firewalls is that we now only have three ports for all protocols: >> >> Port 80/UDP: Non SSL traffic >> Por

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Joe Abley
On 24 Apr 2014, at 10:53, Phillip Hallam-Baker wrote: > If you want to use TLS with DNS then use port 443. One of the effects > of firewalls is that we now only have three ports for all protocols: > > Port 80/UDP: Non SSL traffic > Port 443/TCP: SSL traffic > Port 53/UDP: DNS I think it's impo

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Phillip Hallam-Baker
On Thu, Apr 24, 2014 at 9:52 AM, Ralf Weber wrote: > Moin! > > > On 24.04.2014, at 15:28, "Tirumaleswar Reddy (tireddy)" > wrote: > >>> -Original Message- >>> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of >>> Nicholas >>> Weaver >>> Sent: Thursday, April 24, 2014

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Paul Hoffman
On Apr 23, 2014, at 11:11 PM, Stephane Bortzmeyer wrote: > On Wed, Apr 23, 2014 at 09:16:29AM -0700, > Paul Hoffman wrote > a message of 39 lines which said: > >> Sure. What were the results of your testing? > > I quickly tested with .FR authoritative name servers and both NSD and > BIND seem

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-24 Thread Ralf Weber
Moin! On 24.04.2014, at 15:28, "Tirumaleswar Reddy (tireddy)" wrote: >> -Original Message- >> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Nicholas >> Weaver >> Sent: Thursday, April 24, 2014 1:58 AM >> To: Paul Wouters >> Cc: dnsop; Nicholas Weaver; dns-priv...

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-23 Thread Mark Andrews
In message , Paul Wouters writes: > On Wed, 23 Apr 2014, Nicholas Weaver wrote: > > > On Apr 23, 2014, at 1:00 PM, Paul Wouters wrote: > >> No, I fully disagree with this. Port 53 TCP has a much better chance at > >> working these days than a random other newly assigned port. > > > > Not true.

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-23 Thread Paul Wouters
On Wed, 23 Apr 2014, Nicholas Weaver wrote: On Apr 23, 2014, at 1:00 PM, Paul Wouters wrote: No, I fully disagree with this. Port 53 TCP has a much better chance at working these days than a random other newly assigned port. Not true. Port 53 is far more molested than "random": INBOUND fir

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-23 Thread Phillip Hallam-Baker
On Wed, Apr 23, 2014 at 7:11 PM, Joe Abley wrote: > > On 23 Apr 2014, at 18:32, Phillip Hallam-Baker wrote: > >> We can't run over port 53 (trust me, I tried). > > You have doubts about the approach described in > draft-hzhwm-start-tls-for-dns-00? Those would be interesting to hear; I find > th

Re: [DNSOP] [dns-privacy] DNS over DTLS (DNSoD)

2014-04-23 Thread Joe Abley
On 23 Apr 2014, at 18:32, Phillip Hallam-Baker wrote: > We can't run over port 53 (trust me, I tried). You have doubts about the approach described in draft-hzhwm-start-tls-for-dns-00? Those would be interesting to hear; I find that draft (and the accompanying t-dns technical report) to be qu