Re: [Add] ADD Calls for WF Adoption

Paul Wouters <paul@nohats.ca> Sun, 31 October 2021 21:19 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418AB3A0A0D for <add@ietfa.amsl.com>; Sun, 31 Oct 2021 14:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXIZvJawLfVe for <add@ietfa.amsl.com>; Sun, 31 Oct 2021 14:19:20 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3179C3A09D8 for <add@ietf.org>; Sun, 31 Oct 2021 14:19:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Hj8Dd1kGrz30Z; Sun, 31 Oct 2021 22:19:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1635715153; bh=umsd1Nk/ct0pnUDvcWKw0d352kVowUKb3hE8ZxWSR7Y=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=D0kI2fUiVjmJcxzV7i69R2qHh6y+YbUaHiE6XiwKelCQ5doNpKzI1Xn6WlgfvYKBT ypV1wrl6CuHWE93clvZpt6RK34dZGrtf2RntrqDzCn/ZKxSQJdBkratBLeLTmSXUnw 6/noJsgTKsCujVRPXgwwzRASs9ieL0ZnbeAN0e68=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id mCfWtwv_5brh; Sun, 31 Oct 2021 22:19:12 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 31 Oct 2021 22:19:12 +0100 (CET)
Received: from smtpclient.apple (unknown [193.110.157.216]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 5969B12E6C7; Sun, 31 Oct 2021 17:19:11 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Sun, 31 Oct 2021 17:19:05 -0400
Message-Id: <341CA99B-6530-4DB4-B4B5-93C7630AEF01@nohats.ca>
References: <16CDFE05-87E5-4F5E-987D-101BE50C0FE3@apple.com>
Cc: Geoff Huston <gih903@gmail.com>, Eric Rescorla <ekr@rtfm.com>, add@ietf.org, "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>
In-Reply-To: <16CDFE05-87E5-4F5E-987D-101BE50C0FE3@apple.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (19A404)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VmTgq1Bz7F1Rp4jwjvtyrQqrVE8>
Subject: Re: [Add] ADD Calls for WF Adoption
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Oct 2021 21:19:33 -0000

On Oct 31, 2021, at 16:22, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
> 
> On the case of the split-DNS document, I think the main crux of the issue is how a network establishes ownership over a domain in a way that clients can trust, and should trust more than other alternatives.

And I still cannot figure out how this system is supposed to work. I read the document and it’s references. I asked questions and for some answers but I still don’t understand how it can work. While I am happy to discuss the idea of split dns authorization and authentication in the WG, I don’t think this document is ready for an adoption call.

> That might be something that’s in scope if we discuss it, but I’m seriously wondering if that is a bigger problem that needs a more general mechanism that just what’s used for bootstrapping an encrypted resolver (the topic of ADD). I think having these private-scoped PvDs is quite interesting, but given that a lot of work was done for PvDs elsewhere (like in intarea), it may be that this mechanism mainly belongs in another group or a new group entirely. That’s the kind of discussion that’s useful to have prior to adoption. 

I agree. This was always an issue of the ADD working group.

Paul