[dnsext] No spec for DNSCurve
Paul Hoffman
>To be more explicit, DNSCurve has no handshake step for a sniffing
>attacker to interrupt.
How do you know that? DNSCurve is essentially unspecified. We really should wait for Dan (or someone) to write a stable document that says what DNSCurve really means before we make such bold statements.
I am far from convinced that, when we see the working protocol, that the above statement will necessarily be true. I would be happy to be wrong.
--Paul Hoffman, Director
--VPN Consortium
--
to unsubscribe send a message to namedroppe...@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
Paul Hoffman
>http://dnscurve.org/impl.html has an outline of DNSCurve for
>implementers, and the main ideas have not changed.
That page is *significantly* different than it was a few weeks ago. It is much more complete, which is good, but it is obviously not stable.
Your idea of "main ideas" may be different than other people's ideas. That's part of the protocol development process.
It sounds like you are quite interested in this protocol. Could you take the time to instantiate some current version of the protocol into an Internet Draft? That would *really* help this discussion.
Edward Lewis
>It sounds like you are quite interested in this protocol. Could you take
>the time to instantiate some current version of the protocol into an
>Internet Draft? That would *really* help this discussion.
Why does it have to be an Internet Draft? The author of the
mechanism hasn't asked for IETF review nor RFC Editor for
publication. If the DNSEXT WG wants to discuss someone else's work,
the onus is on the group, not the other person.
(Yes, I am just causing trouble here. But historically we have
recognized a non-IETF document in the definition of the protocol, so
there's precedent. See the ATMA resource record definition.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
Edward Lewis
>But if we want to discuss how the protocol is going to be defined, and
>work out its details, we either need to let that happen outside this
>working group (which means on some other list, please) or else do the
>development inside the IETF according to IETF conventions. The IETF
>has enough problems with procedure without this working group
>inventing new, ad hoc mechanisms for protocol document review.
The crux of the matter is, to chop up your words, "if we want to ...
work out its details." I don't think that is a decision that is up
to us. We may want to work out its details but it isn't ours to play
with.
I think that we can consider the work when trying to decide our own
agenda. In that context, discussing it here is germane even without
it existing in an IETF approved format. It is not up to us to demand
that it be brought here.
We aren't reviewing the work. No one has asked the IETF for a
review. But that doesn't mean we can't discuss it. I don't want to
get into a fuss over us trying to "copy" the work into the group.
Whether or not there are intellectual property concerns (but as I am
not a lawyer, eeeek, I'm not going to guess).
For those that haven't been around this group for a long time, the
author of this work, Dan Bernstein, has had a strained relationship
with the IETF. Rightly or wrongly, it doesn't matter. Given history
I suspect it is unlikely that he would submit his work for IETF
review. That doesn't mean we should therefore ignore it. We can
form group opinions of the work, but we have no change control over
it - it is not our work.
(And, yes, I am still just causing trouble here.)
My point is that we have something to talk over now. The web page
description has the details needed. Its not an ID, but, then again,
how well written is RFC 1034/1035? ;) There's no change control
there? So what, we aren't approving or rubber stamping anything, we
are just examining the engineering in it.
Edward Lewis
>I don't see what there is to discuss _in this working group_.
I guess the (and this is probably too far from real work to care
about) question is - is the mailing list only open to WG agenda
items. Namedroppers preceeded DNSEXT and probably will live on after
the WG is closed.
Maybe there isn't anymore to be said. But as someone interested in
the development of the DNS protocol it is helpful to know about all
of the tricks of the trade being employed in the off chance they
might roll into the mainstream protocol.
There are many ways in which DNS is operated that have shaped the
protocol. There are significant elements of the de jure protocol
that have never come into the IETF for (complete) review. (Split DNS
for one.) There are folks that take for granted that "views" are an
essential part of the protocol, not simply a feature started in one
implementation (and possibly copied to others - I only assume).
I'm cranky when I see "please don't talk about that here" talk
because that is shutting out what made the IETF interesting, you
know, the hundred flowers and all (yeah, 1000 flowers, but the
origin[0] was 100). If you think a topic is boring, ignore it - I
admit I ignore a lot of things on namedroppers (in the sense of "I've
heard all that before - but not everyone else has - the curse of long
term subscribing I guess").
It's interesting to see DNSCurve, especially a fairly detailed
specification of it[1]. The author has been ahead of the curve (no
pun intended) before. Not that I think that DNSCurve is going to
save the day or stave off DNSSEC at this point but nevertheless it's
something. And not that I always agree with the author's
engineering. (E.g., truncating messages mid RR, not answering lame
questions at all, tsk, tsk.) Still it's input to the process of
engineering a better protocol. Maybe not this protocol but perhaps
someday when DNS 2.0 is produced.
Slap, finger snap, wake up --- sorry - I got into some of Bill's meds again.
Demanding an IETF formatted document from people not participating in
the IETF just because somefolks wanted to talk about it on a mailing
list run by the IETF shows a lot of
http://en.wikipedia.org/wiki/Chutzpa. I want to keep this group
relevant to the protocol and how it is used, not see it creep off
into an ivory tower of protocol purity. Gotta be "keeping it real."
[0] http://en.wikipedia.org/wiki/Hundred_Flowers_Campaign
[1] http://dnscurve.org/impl.html
Stephane Bortzmeyer
Edward Lewis <Ed.L...@neustar.biz> wrote
> Demanding an IETF formatted document from people not participating
> in the IETF just because somefolks wanted to talk about it on a
> mailing list run by the IETF shows a lot of
> http://en.wikipedia.org/wiki/Chutzpa. I want to keep this group
> relevant to the protocol and how it is used, not see it creep off
> into an ivory tower of protocol purity. Gotta be "keeping it real."
I mostly agree with Ed Lewis here but, if the chairs insist we should
not discuss a protocol which is not an IETF protocol, what are the
other solutions? I am not aware of a mailing list dedicated to the
evolutions of the DNS besides namedroppers. Should someone create a
"dns-f...@example.net"?
Paul Hoffman
>I dare say DNSCurve was already done-to-death in previous threads, as understanding the systemic advantages and disadvantages didn't need much of a specification anyway.
We fully disagree here. Looking at the diffs in just the last month on the web site, and talking with Dan off-list, I see low-level ideas that were far from clear in earlier versions of the web site.
>Also, really, DNSCurve has nothing to do really with DNS except it uses DNS as a key distribution mechanism. Its really a datagram-based transport-layer security in the same category as DTLS, but with a single RTT handshake and using a particular elliptic curve.
DTLS for long-term key distribution is different than DTLS for protecting a single query-and-response.
DTLS with a PKIX hierarchy is different than DTLS with an alternate trust model.
And so on.
I think it is unwise to say "we can predict what will be said in the first draft of the protocol", much less what might come out of a group with diverse interests working on that protocol.
--Paul Hoffman, Director
--VPN Consortium
--
Paul Hoffman
>At 11:32 -0700 10/9/08, Paul Hoffman wrote:
>
>>It sounds like you are quite interested in this protocol. Could you take
>>the time to instantiate some current version of the protocol into an
>>Internet Draft? That would *really* help this discussion.
>
>Why does it have to be an Internet Draft?
It doesn't; I proposed that as the simplest method for the group to have a stable document to look at. If the authors want to do something more difficult to get a stable document for us to look at, that's probably fine too.
>The author of the mechanism hasn't asked for IETF review nor RFC Editor for publication.
But others have. Note that I did not say Dan Bernstein had to write the draft; I proposed it to others who wanted to discuss the protocol in the IETF.
>If the DNSEXT WG wants to discuss someone else's work, the onus is on the group, not the other person.
How can we tell if we want to discuss some work if we don't know what the work is? As I said in my earlier message, Dan has changed (improved, in my opinion) DNScurve since it was introduced.