DNSE IETF 89

Chair: Brian Haberman
Scribe: Dan York
Minutes: Tim Wicinski

Raw minutes : http://etherpad.tools.ietf.org:9000/p/notes-ietf-89-dnse?useMonospaceFont=true&showChat=false

* Goals
   - DNSOP problem statement not under discussion
   - Determine interest level of DNS operators and implementers
   - Discuss General Problem of DNS information confidentiality

* Introduction of the problem statement (Peter Koch)
   - draft-bortzmeyer-dnsop-dns-privacy
   - draft-koch-perpass-dns-confidentiality
   - General points:
     > DNS Traffic is revealing
     > Sniffing 3rd party can learn what you're doing
     > Two cases
     > Client Machine <-> Full resolver
     > Resolver <-> Auth name server
     > Other Issues
     > Monitoring and Statistics


* Using existing IETF protocols like IPsec or DTLS? (Eric Rescorla)
   - Assumptions
     > DNS for auth servers
     > client is annoymous
   - Possible issues:
     > IPsec on seperate port
     > UDP being blocked
     > Middleboxes may block ESP
     > DNS does anycast which could cause session issues
   - Handshake Latency
     > 1-2 ETT
     > TLS 1.3 working on 1 RTT 
   - Final Thoughts
     > IPsec probably won't work
     > DTLS might work
   - Questions raised
     > 2 problems: between client and resolver; and client and old servers
     > requirement for forward secrecy; negotiate mechanisms
     > difference between anonymity and secrecy
     > DTLS wrapped in the message. Do we need a RFC or can just wrap 
     > have 2 problems should have 2 solutions
     > Traffic analysis on servers queried and size of queries (maybe not)
     > How do you get your key to the right place.
     > How does a server know where in the chain it is?
    
* Develop a new protocol? (Stephen Bortzmeyer)
   - draft-bortzmeyer-dnsop-privacy-sol
   - DTLS? RFC 6347
     > Pro: TLS, UDP DNS, WebRTC, OpenSSL
     > Cons: Prior association, scalability?
   - DNScrypt/DNScurve
     > DNScurve protects resolver  <-> authserver. key in delegation
     > DNScrypt protects stub <-> resolver. manual key
     > Developed, but small deployment, no IETF change control
   - Issues raised:
     > DNScurve is hardcorded VPN
     > No full comparison between existing solutions
     > DNScrypt doesn't work in countries
     > Key set up

* New proposals (Wijngaards, Wessels)
   - draft-wijngaards-dnsop-confidentialdns
   - draft-hzhwm-start-tls-for-dns

* Open discussion
   - Statistics at various points on number of queries is needed
   - Need requirements
   - Deployment concerns if new protocol is developed
   - Wide interest in investigating issues
   - Need DNSOP input on problem statement and requirements