Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft

Paul Wouters <paul@nohats.ca> Wed, 27 February 2019 14:24 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49ADD130DE7; Wed, 27 Feb 2019 06:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptjTfm2Xre0h; Wed, 27 Feb 2019 06:24:54 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01041200B3; Wed, 27 Feb 2019 06:24:53 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 448dHQ47dFz39p; Wed, 27 Feb 2019 15:24:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551277490; bh=+3wPxJ4v8GjHMfN4jdJ3XBpIU0Sc7JsSPgeKXrDsWB4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=j0XWH8nJx5v9eGCW4VGBA1kQvQuWyJP2aLbt+ocIMJlSJZ/ITvz0m8S+uKsDnNSz3 GlWSgFoVREBO/FTQm68iMM4rTsWxd061ehDPhR2R1s167FGHXgZQoSiCp81LCLqGev zUWbfYAnE5gHztJMYyveTtgDljOQ4VTwsoGfai3k=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id J2jDfGCKtnkd; Wed, 27 Feb 2019 15:24:48 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Feb 2019 15:24:47 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D874AA7E0C; Wed, 27 Feb 2019 09:24:46 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D874AA7E0C
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CEEA240D358A; Wed, 27 Feb 2019 09:24:46 -0500 (EST)
Date: Wed, 27 Feb 2019 09:24:46 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "Brotman, Alexander" <Alexander_Brotman@comcast.com>
cc: "art@ietf.org" <art@ietf.org>, "dbound@ietf.org" <dbound@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com>
Message-ID: <alpine.LRH.2.21.1902270920580.8896@bofh.nohats.ca>
References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/MfaUis7Gs2vOHhihpVlmv3EmchU>
Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 14:24:56 -0000

On Mon, 25 Feb 2019, Brotman, Alexander wrote:

> Stephen and I have spent a bit of time working on a draft to be able to show a relationship between two domains.  We're aware this subject has been covered a few times previously, especially in the DBOUND drafts, but we're hopeful that a more simple approach might be more acceptable.   The secondary domain will create a DNS record that shows a link to a primary domain, and the text should be able to be validated using the public key in a DNS record the primary domain shares.  This is something akin to DKIM, a mechanism that the email world uses to ensure the contents of a message have not been tampered with.
>
> https://datatracker.ietf.org/doc/draft-brotman-rdbd/

I've read the draft, and I have my usual complaints.

If we put stuff into the DNS for security decisions, saying "its better
if you use this data when it is DNSSEC signed" is just too weak. We are
splashing TOFU everywhere and putting CT bandaids on it. It's long overdue
that we stop with that. Just require DNSSEC.

And if you require DNSSEC validation, then the solution becomes
much simpler and could be encoded in a single bit, see:

https://tools.ietf.org/html/draft-pwouters-powerbind

Paul