IETF Logo Mail Archive

[Add] Terminology in draft-ietf-add-requirements - "secure" etc

Patrik Fältström <paf@frobbit.se> Thu, 08 July 2021 06:08 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D18C3A1335 for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 23:08:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0Vbhh6H9Kwa for <add@ietfa.amsl.com>; Wed, 7 Jul 2021 23:08:35 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4993A132E for <add@ietf.org>; Wed, 7 Jul 2021 23:08:35 -0700 (PDT)
Received: from [192.165.72.128] (unknown [IPv6:2a02:80:3ffc:0:fd28:7a6c:a56f:aff7]) by mail.frobbit.se (Postfix) with ESMTPSA id A1930235A7 for <add@ietf.org>; Thu, 8 Jul 2021 08:08:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1625724508; bh=94WN4YZCVUXtG0dkQUyE63FtzPqdw4Pr/q9L1Z89hPo=; h=From:To:Subject:Date:From; b=XzUNAkO+0+TjjtwaChCQzQwKcRBsygy9HVcEPmEt4Hi2Y4lgdWd47ehGl5CGuQqxw taEEbV7TiE/YfQAZtdARFjWNFhxZwemXatX9V+CHd/NVyT/pgENcabSbfW50mu6bak lCJcN6RQng5nCSh4pkB5t2+g20gvf/3HQjpoW9GQ=
From: Patrik Fältström <paf@frobbit.se>
To: add@ietf.org
Date: Thu, 08 Jul 2021 08:08:27 +0200
X-Mailer: MailMate (1.14r5816)
Message-ID: <C93DCA99-50ED-43D0-AD35-55292B63BE41@frobbit.se>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_3E72FEF0-AD80-4728-9136-8AF81D22CC07_="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/bkqmyg_YFMysOKxlIRZsehoH0vM>
Subject: [Add] Terminology in draft-ietf-add-requirements - "secure" etc
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 06:08:40 -0000

In the requirements document, wordings are used like (example from section 4):

> Redirect secure DNS traffic to themselves when
> they would not otherwise handle DNS traffic.

I find it a bit confusing what the wording "secure DNS traffic" implies.

In various scenarios we might have (at least) situations when the traffic between stub and recursive resolver is encrypted or not. And it might be validated on the recursive resolver or not, and it might be possible for the stub resolver to query with DO flag or not.

Or to put it differently, the DNSSEC validation might:

1. Not take place at all
2. Take place in the recursive resolver side
3. Take place in the local client

In case (1) there is not much to do.

In case (2) the client must trust the recursive resolver.

In case (3) the recursive resolver do not have to trust the resolver.

In all cases the transport between client and recursive resolver can of course be encrypted or not.

May I ask for some carefully selected language here so that we do not call all three cases "secure"? Specifically if the only thing we are looking for is encrypted communication between stub and recursive resolver?

And IF we have some flags and negotiation taking place, would it not be a good idea for the client to actually know where validation takes place?

   Patrik

v2.23.0 | Report a Bug | By Email