On Thu, Nov 28, 2013 at 11:10:39AM -0500,
Paul Wouters wrote
a message of 58 lines which said:
> Additionally, encrypting to authoritative servers seems to not make
> _that_ much sense to me. Remember, when I need to know
> www.nohats.ca, I already tell the .ca nameserver the entire QNAME
> be
: dnsop@ietf.org WG
Subject: Re: [DNSOP] confidentialdns draft
I think the draft is very unclear on this (DNSSEC) point -
at least I don't find this statement about the ENCRYPT RR being signed by
with the private key of example.com.
Anyway : a RRSIG RR holds the name of the domain that sign
I think the draft is very unclear on this (DNSSEC) point -
at least I don't find this statement about the ENCRYPT RR being signed by
with the private key of example.com.
Anyway : a RRSIG RR holds the name of the domain that signed in clear text.
Kind regards,
Marc
On Fri, Nov 29, 2013 at 10:40
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Marc,
In the draft it says to store the ENCRYPT RR in this case at
ns.example.com. It would then be signed with the ZSK DNSKEY for
example.com, with normal DNSSEC chain of trust.
But again, the authenticated operation is not the main aim of this
Hello,
(a reaction on second paragraph of 4. Authenticated Operation, only)
That paragraph states that the ENCRYPT RR can be signed by DNSSEC.
However, I don't think is possible !
A signature is the hash of DNS-data-sent, encrypted with the private key.
But in this case : private key of who ?
!!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Paul,
So this is another solution, which I want out there in the solution
space because it is stateless. And there are many things to consider ...
Sending the qname as the zone name in plaintext is not a good idea.
For hop-by-hop encryption there
On Thu, 28 Nov 2013, Glen Wiley wrote:
Asking the LAN's resolver for a specific record (type ENCRYPT to QNAME
".") seems a bit dangerous. This is of course completely MITM-able, but
I see no real other way to trust something fundamentally untrustworthy. So
that's okay. But I fear too many of t
On Nov 28, 2013, at 11:10 AM, Paul Wouters wrote:
> On Thu, 28 Nov 2013, W.C.A. Wijngaards wrote:
>
>> I also heard that this is the place to discuss DNS privacy.
>
> This is a generic problem people keep mentioning. We need some new WG
> for DNS extensions that's not operations. i was told thi
On Thu, 28 Nov 2013, W.C.A. Wijngaards wrote:
I also heard that this is the place to discuss DNS privacy.
This is a generic problem people keep mentioning. We need some new WG
for DNS extensions that's not operations. i was told this was going to
be discussed at dnsops at ietf88 , but it did n
Resolution latency is only affected initially when the resolver must fetch the
confkey record, after that initial fetch (until TTL expires) there are no
additional packets introduced into the query/response exchange.
Zone file size is not an issue - adding a single key record to support
confide
Though bringing privacy protection to the DNS query and response, this method
may bring many other negative impacts on DNS system. The DNS resolution latency
will be increased due to fetching so-called ENCRYPT RR which makes the DNS zone
file bigger. Not onlay the DNS server but also the DNS cli
11 matches
Mail list logo
