Stéphane Bortzmeyer
Starting the DPRIVE (#DNS #privacy) meeting at #IETF99 https://www.ietf.org/proceedings/99/agenda/agenda-99-dprive-04.txt "Less Cow Bell" #NSA
Jul 18, 2017 at 7:28amWeb
Show threadStéphane BortzmeyerJul 18, 2017
#DNS over #TLS authentication profiles draft have seen some modifications after exam by #IESG. Need some review (IMHO, it is done, and should be published). #IETF99
Show threadStéphane BortzmeyerJul 18, 2017
Alex Mayrhofer on the #DNS padding policy (to improve #privacy when encrypting with #TLS, which does not hide messages sizes). Draft near completion. #IETF99
Show threadStéphane BortzmeyerJul 18, 2017

The proposed padding policy comes from the excellent measurements done by Daniel K. Gilmore and presented at the #NDSS17 conference this year. We have facts to back the proposed policy ("pad to the next multiple of 128 bytes")

#DNS #IETF99

Show threadStéphane BortzmeyerJul 18, 2017
128 on the query side, it will be larger on the response. #precision #DNS #IETF99
Show threadStéphane BortzmeyerJul 18, 2017
"It would be interesting to hear opinions from the attacking side. Anyone in the room working for a spy agency?" #DNS #padding #IETF99
Show threadJohn Shaft (ジョン・シャフト) ✅Jul 18, 2017
@bortzmeyer Does it include Google or ISP ? 😬
Show threadStéphane BortzmeyerJul 18, 2017
@Shaft #DNS encryption is not a problem for Google, they are the end point :-(
Show threadStéphane BortzmeyerJul 18, 2017

Christian Huitema on stage about #DNS over #QUIC (draft, not adopted, not implemented). QUIC includes #TLS.

"First, a show of hands, who knows about QUIC?"

#DNS #privacy #IETF99

Show threadStéphane BortzmeyerJul 18, 2017
"QUIC = TCP+TLS+streams" #DNS #IETF99 #QUIC
Show threadDan YorkJul 18, 2017
@bortzmeyer And many people raised their hands! (Good to see)
Show threadStéphane BortzmeyerJul 18, 2017
@danyork I wonder if they know QUIC in depth (having implemented and/or used it) or just a theoretical view (having read the draft). #IETF99
Show threadLaurent Chemla 🍺Jul 18, 2017
@bortzmeyer Haha, comme s'il était encore vivant, Huitéma. Le gros mytho.
Show threadStéphane BortzmeyerJul 18, 2017
@LaurentChemla Dinos never die.
Show threadStéphane BortzmeyerJul 18, 2017
Daniel K. Gilmore on demultiplexing #HTTPS and #DNS when they share the same #TLS port. It's implemented, yes, see https://dns.cmrg.net/ (it is actually a DNS public resolver). #privacy #IETF99
Show threadStéphane BortzmeyerJul 18, 2017
So you can have a #TLS server where an external adversary cannot tell if it provides #HTTPS or #DNS. (Does not work with #ALPN, though.) #privacy #IETF99
Show threadStéphane BortzmeyerJul 18, 2017
This was the hack of the day, long discussion at #IETF99. #DNS #TLS #HTTPS
Show threadStéphane BortzmeyerJul 18, 2017
Sara Dickinson reminds us of https://dnsprivacy.org/, to track the deployment of #DNS-over-#TLS name servers. #IETF99
Show threadStéphane BortzmeyerJul 18, 2017
Shane Kerr c the "hallenges the "#DNS over #TCP is more costly than DNS over #UDP" story. UDP servers are hugely overprovisioned because of DoS attacks enabled by UDP. TCP may allow to decrease this overprovisioning. #IETF99
Show threadJohn Shaft (ジョン・シャフト) ✅Jul 18, 2017
@bortzmeyer 🐕 > 🐄🔔