internet-drafts | 22 Oct 22:58 2014
Picon

I-D Action: draft-ietf-dnsop-qname-minimisation-00.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Domain Name System Operations Working Group of the IETF.

        Title           : DNS query name minimisation to improve privacy
        Author          : Stephane Bortzmeyer
	Filename        : draft-ietf-dnsop-qname-minimisation-00.txt
	Pages           : 7
	Date            : 2014-10-22

Abstract:
   This document describes one of the techniques that could be used to
   improve DNS privacy (see [I-D.bortzmeyer-dnsop-dns-privacy]), a
   technique called "qname minimisation".

   Discussions of the document should take place on the DNSOP working
   group mailing list [dnsop].

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-qname-minimisation/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-00

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

(Continue reading)

Bob Harold | 20 Oct 23:03 2014
Picon

Possible slower response with minimization

I support the idea of qname minimization, but I think there is a common case where it will cause additional DNS round trips, slowing the response and increasing the number of packets and queries the servers must handle.

Consider “www.host.group.department.example.com” where the company’s servers are authoritative for the zones:

example.com
department.example.com
group.department.example.com

Without minimization (typical today):

1. Query root for “www.host.group.department.example.com”, get list of “com” servers.
2. Query a com server for “www.host.group.department.example.com”, get list of “example.com” servers.
3. Query an example.com server for “www.host.group.department.example.com”, get answer.

With minimization:

1. Query root for “com”, get list of “com” servers.
2. Query a com server for “example.com”, get list of “example.com” servers.
3. Query an example.com server for “department.example.com”, get list of “department.example.com” servers (which happens to be the same as the list of “example.com” servers).
4. Query a “department.example.com” server (likely the same server as step 3) for “group.department.example.com”, get list of “group.department.example.com” servers.
5. Query a “group.department.example.com” server for “host.group.example.com”, get probably just an A and/or AAAA record, indicating there is no zone cut at that level.
6. Query a “group.department.example.com” server for “www.host.group.department.example.com”, get answer.

Note that it takes twice as many queries, and each depends on the previous, so it is twice as many round trips.

I realize that caching will reduce the extra queries in many cases, but can we estimate the impact of this somehow, to determine if it is significant?

-- 

Bob Harold

DNS hostmaster, University of Michigan

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Peter Koch | 20 Oct 20:37 2014
Picon

Re: Call for Adoption: draft-bortzmeyer-dns-qname-minimisation

On Tue, Oct 07, 2014 at 12:04:22AM -0400, Tim Wicinski wrote:

> Please review this draft to see if you think it is suitable for adoption 
> by DNSOP, and comments to the list, clearly stating your view.

I do not support accepting the draft (or the proposal it carries) as a work item.

Other than the author - and obviously others - I believe that the resolution
algorithm of RFC 1034 is pretty clear about the QNAME being sent in full
and that has been operational reality for 25+ years.  A whole system has
been successfully built around it with complex interdependencies.
'parent centric' and 'child centric' resolvers and query patterns
evolved along that algorithm.  The fact that certain services may have experimented
(successfully, to them) with the proposed algorithm already gives anecdotal
evidence at most, but no evidence for the absence of harm.

Making the zone cut, an otherwise arbitrary boundary, a central search
element, is another huge paradigm shift that I see "with great interest".
Please don't anyone tell me that's the case with DNSSEC already - the story
there is different.

Finally, QNAME minimization is providing little gain in the traditional
forward tree and already needs kludges in deeper, nested name spaces.

Comparing the (little) gain with the unclear risk, I'd rather see work and
energy devoted to a long term solution.

-Peter

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Phillip Hallam-Baker | 20 Oct 20:32 2014

Re: Call for Adoption: draft-bortzmeyer-dns-qname-minimisation



On Tue, Oct 7, 2014 at 12:04 AM, Tim Wicinski <tjw.ietf <at> gmail.com> wrote:
Dear DNSOP WG,

After discussions about the landing spot of this document, DNSOP vs the newer DNS Privacy WG, it was realized the updated DNSOP charter specifically had work like this in mind.

This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation.

The draft is available here: https://datatracker.ietf.org/doc/draft-bortzmeyer-dns-qname-minimisation/

Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view.

yes

 
Please also indicate if you are willing to contribute text, review, etc.

<nohats>
yes
</nohats>
 
This call for adoption ends Monday 20-October-2014 at 23:59
_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Paul Hoffman | 18 Oct 02:15 2014

Bi-weekly reminder of the documents for the WG

Greetings again. This is a reminder that the documents that this WG is working on, and may or may not be
working on in the future, is at
  https://svn.tools.ietf.org/svn/wg/dnsop/doclist.html
It helps the WG chairs to know which documents have enough people willing to review them to move them
forwards. If you would like to volunteer to be a reviewer for any of the documents, please let me know so I can
list you.

In the past two weeks, a few additional people have volunteered to review some of the documents, and a *lot*
of people volunteered to review draft-bortzmeyer-dns-qname-minimisation. It would be grand if more
people would offer to review other documents as well. Also, the documents that are going to be part of the
new DPRIVE WG were removed from the list.

If you want to add a document to the list, contact the WG chairs.

--Paul Hoffman, secretary
_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Brian Dickson | 16 Oct 03:58 2014
Picon

Fwd: New Version Notification for draft-dickson-dnsop-spartacus-system-00.txt

Hi, 
This is the second of the pair of drafts submitted together for consideration.
(See the first post for the full description.)
Brian Dickson
---------- Forwarded message ----------
From: <internet-drafts <at> ietf.org>
Date: Wed, Oct 15, 2014 at 6:11 PM
Subject: New Version Notification for draft-dickson-dnsop-spartacus-system-00.txt
To: Brian Dickson <brian.peter.dickson <at> gmail.com>



A new version of I-D, draft-dickson-dnsop-spartacus-system-00.txt
has been successfully submitted by Brian Dickson and posted to the
IETF repository.

Name:           draft-dickson-dnsop-spartacus-system
Revision:       00
Title:          System to transport DNS over HTTP using JSON
Document date:  2014-10-15
Group:          Individual Submission
Pages:          34
URL:            http://www.ietf.org/internet-drafts/draft-dickson-dnsop-spartacus-system-00.txt
Status:         https://datatracker.ietf.org/doc/draft-dickson-dnsop-spartacus-system/
Htmlized:       http://tools.ietf.org/html/draft-dickson-dnsop-spartacus-system-00


Abstract:
   This is the SPARTACUS DNS gateway system.  It is designed to
   facilitate the transport of DNS messages opaquely, across problematic
   sections of the Internet.  It uses JSON encoding, and HTTP(S) as the
   protocol for transport.

   The main criteria of SPARTACUS is that it preserve DNS messages
   verbatim, and that only properly formatted DNS messages are passed.

   There are two modes (so far) defined: DNS forwarder (dns clients
   point to a local gateway, which forwards to a remote gateway for
   sending to a DNS resolver); and transparent proxy (DNS packets are
   intercepted, passed to a local gateway, which sends them to the
   remote gateway, with original destination IP address etc. encoded,
   and used by the remote gateway as the destination).

   DNS messages are NAT-friendly, so changes to IP or UDP headers do not
   impact them.  Thus, SPARTACUS does not interfere with TSIG, SIG(0),
   or Eastlake Cookies.

   This document describes the system, the components, and behavior,
   with examples.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Brian Dickson | 16 Oct 03:49 2014
Picon

Fwd: New Version Notification for draft-dickson-dnsop-spartacus-lang-00.txt

Hi,

I have posted two new IDs, one for a DNS description language, the other for a DNS-JSON-DNS system,
designed to be operated either as a "bridge", or as a transparent proxy.

I'm hoping for some initial feedback, including whether either/both belong in DNSOP.

Thanks,
Brian DIckson
---------- Forwarded message ----------
From: <internet-drafts <at> ietf.org>
Date: Wed, Oct 15, 2014 at 6:10 PM
Subject: New Version Notification for draft-dickson-dnsop-spartacus-lang-00.txt
To: Brian Dickson <brian.peter.dickson <at> gmail.com>



A new version of I-D, draft-dickson-dnsop-spartacus-lang-00.txt
has been successfully submitted by Brian Dickson and posted to the
IETF repository.

Name:           draft-dickson-dnsop-spartacus-lang
Revision:       00
Title:          A Language to Describe the DNS Wire Format
Document date:  2014-10-15
Group:          Individual Submission
Pages:          23
URL:            http://www.ietf.org/internet-drafts/draft-dickson-dnsop-spartacus-lang-00.txt
Status:         https://datatracker.ietf.org/doc/draft-dickson-dnsop-spartacus-lang/
Htmlized:       http://tools.ietf.org/html/draft-dickson-dnsop-spartacus-lang-00


Abstract:
   As part of the SPARTACUS DNS gateway system, building a full DNS
   parser was necessary.  Parsing DNS packets is the only way to avoid
   propogating packets which are not correctly formatted DNS packets.

   In order to facilitate building a new parser from scratch, the author
   chose to build a parser-builder which takes as input, a description
   of the DNS wire format.

   This document describes the language created to facilitate this
   description, and includes the resulting DNS wire format description
   in this language.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Lee Howard | 14 Oct 23:10 2014

draft-howard-dnsop-ip6rdns

We discussed this in Toronto, and there seemed to be a positive response
to the question, "Is this work we should undertake in
this WG?"

There were two pointers, to
http://tools.ietf.org/html/draft-andrews-dnsop-pd-reverse-02 and to the
Homenet naming work.

I'm editing to add those references; is there any other feedback before
the chairs do a formal call for adoption?

Thanks,
Lee

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

internet-drafts | 13 Oct 12:30 2014
Picon

I-D Action: draft-ietf-dnsop-dnssec-key-timing-06.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Domain Name System Operations Working Group of the IETF.

        Title           : DNSSEC Key Rollover Timing Considerations
        Authors         : Stephen Morris
                          Johan Ihren
                          John Dickinson
                          W. (Matthijs) Mekking
	Filename        : draft-ietf-dnsop-dnssec-key-timing-06.txt
	Pages           : 31
	Date            : 2014-10-13

Abstract:
   This document describes the issues surrounding the timing of events
   in the rolling of a key in a DNSSEC-secured zone.  It presents
   timelines for the key rollover and explicitly identifies the
   relationships between the various parameters affecting the process.

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-06

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-key-timing-06

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Donald Eastlake | 11 Oct 17:00 2014
Picon

Fwd: New Version Notification for draft-eastlake-dnsext-cookies-05.txt

Hi,

A new version of the DNS Cookies draft has been posted as below.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 <at> gmail.com

---------- Forwarded message ----------
From:  <internet-drafts <at> ietf.org>
Date: Sat, Oct 11, 2014 at 10:44 AM
Subject: New Version Notification for draft-eastlake-dnsext-cookies-05.txt
To: Mark Andrews <marka <at> isc.org>, "Donald E. Eastlake 3rd" <d3e3e3 <at> gmail.com>

A new version of I-D, draft-eastlake-dnsext-cookies-05.txt
has been successfully submitted by Donald E. Eastlake and posted to the
IETF repository.

Name:           draft-eastlake-dnsext-cookies
Revision:       05
Title:          Domain Name System (DNS) Cookies
Document date:  2014-10-11
Group:          dnsop
Pages:          27
URL:
http://www.ietf.org/internet-drafts/draft-eastlake-dnsext-cookies-05.txt
Status:         https://datatracker.ietf.org/doc/draft-eastlake-dnsext-cookies/
Htmlized:       http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-05
Diff:
http://www.ietf.org/rfcdiff?url2=draft-eastlake-dnsext-cookies-05

Abstract:
   DNS cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification /
   forgery or cache poisoning attacks by off-path attackers. DNS Cookies
   are tolerant of NAT, NAT-PT, and anycast and can be incrementally
   deployed.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

internet-drafts | 11 Oct 16:44 2014
Picon

I-D Action: draft-eastlake-dnsext-cookies-05.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Domain Name System Operations Working Group of the IETF.

        Title           : Domain Name System (DNS) Cookies
        Authors         : Donald E. Eastlake
                          Mark Andrews
	Filename        : draft-eastlake-dnsext-cookies-05.txt
	Pages           : 27
	Date            : 2014-10-11

Abstract:
   DNS cookies are a lightweight DNS transaction security mechanism that
   provides limited protection to DNS servers and clients against a
   variety of increasingly common denial-of-service and amplification /
   forgery or cache poisoning attacks by off-path attackers. DNS Cookies
   are tolerant of NAT, NAT-PT, and anycast and can be incrementally
   deployed.

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-eastlake-dnsext-cookies/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-05

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-eastlake-dnsext-cookies-05

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
DNSOP mailing list
DNSOP <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Gmane