Re: [dns-privacy] WG strategy on opportunistic vs authenticated moving forward
"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 13 July 2021 15:08 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BC63A16AD; Tue, 13 Jul 2021 08:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXGZjYV151MB; Tue, 13 Jul 2021 08:08:22 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71B583A14A4; Tue, 13 Jul 2021 08:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=13304; q=dns/txt; s=VRSN; t=1626188902; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=yLe2Yl2rofy6aLfY7nIsGkko6p5PuhJHubdMbbTxwS0=; b=OGrXwfui/U0h7NTPC0DDQlvNRmJBKOuAwY4wdwdJYdERCr+ErU7elKZZ gQcrAvOwnbOImMqok4bN4JFKk7LHKhVnbTgeQz+SOHU3+zJ5eQcryrRX+ +576CyGxb6+GRICuzH/zZOO4sXIW26hUMNei5I0Zn4rXkwLYb4/0fe207 d78bhuiR4Q0JQqxYPicu82LsYSkOBTzCYql0Yucfx6+p8iz6mGznEHRmd okM79k1CdC9LSsKv4L+41O4qhIcFU9WTDUpMbzm+UT29Mni2Pl/aDzF3u +NU+Hn1flFt/dzLQ40r2h7NUk4Qx25USXNckF8jWpof8gyoBlnl84JD6F w==;
IronPort-SDR: uG/9Towvn8IotoiylafvIkJ/4HP22qO3jlHDyBMWjeVnkAellMRI3kp+hUdvnk+tQ2UXWEhsEG iniZxbetSCe8a0WNFzEyM/4kT4duRR0EjIZMS/kMR4Atf4rGhvDvkWabtJfpwYycDzOeDk5ctY MDTnzDEtXvfvUWqxJQh9LM5+0xSDqTtnFFqI1edTvaZLLpPArUMUOCpgbUS0ysSTTsapIMdnyB lQFJturaXETyCowAXTpYbrtqnm8gXkEwnuajzy0vlInH0usx9ha9cDK6j+nVbFnAExOQ52ZB35 M/U=
IronPort-HdrOrdr: A9a23:8QPg8Kw89c2xPfH87NWwKrPwAL1zdoMgy1knxilNoERuA6ilf8 DHppgmPGzP+VEssRAb6Ku90ca7IU80maQe3WBVB8bGYOCEghrTEGgB1/qA/9SIIUSXndK1l5 0QEZSWY+eeMbEOt6fHCX6DferIruPrzEniv5a5854kd3ASV0hP1XYANjqm
X-IronPort-AV: E=Sophos;i="5.84,236,1620705600"; d="scan'208,217";a="8550288"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 13 Jul 2021 11:08:18 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.2242.010; Tue, 13 Jul 2021 11:08:18 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
CC: "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Thread-Topic: [EXTERNAL] [dns-privacy] WG strategy on opportunistic vs authenticated moving forward
Thread-Index: AQHXd0EoabX45NsDJUKZCGLKFNwZJ6tBAtGw
Date: Tue, 13 Jul 2021 15:08:18 +0000
Message-ID: <929241ebd32b449bbaf5167ad17eafed@verisign.com>
References: <CADyWQ+FQsJmmqsVhBqxK6RP-0RhOHVqvMN_bQ4CEpBWNCU+LJg@mail.gmail.com>
In-Reply-To: <CADyWQ+FQsJmmqsVhBqxK6RP-0RhOHVqvMN_bQ4CEpBWNCU+LJg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_929241ebd32b449bbaf5167ad17eafedverisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/0nX5r7TScI6dN_e1jPfDXScsCQo>
Subject: Re: [dns-privacy] WG strategy on opportunistic vs authenticated moving forward
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 15:08:34 -0000
From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Tim Wicinski Sent: Monday, July 12, 2021 1:12 PM To: DNS Privacy Working Group <dns-privacy@ietf.org> Cc: dprive-chairs@ietf.org Subject: [EXTERNAL] [dns-privacy] WG strategy on opportunistic vs authenticated moving forward Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, The chairs have been watching the working group while we prepare for the upcoming meeting, and working through the proposals and arguments that keep coming up. We feel there is strong consensus to work on opportunistic encryption and that it may be beneficial to discuss possible experimental deployments with a version of the currently documented approach (draft-ietf-dprive-unauth-to-authoritative). The concern with lumping the root, TLDs, and SLDs into one solution is that there are contractual issues with what can be in a zone above an SLD. These limitations are potentially an issue with some solutions that need/want new records in the parent’s zone. We feel like the WG will not be able to make additional progress on any of the proposed solutions until we can reach consensus on whether the solution should be homogeneous from the root down or that the real focus is on SLDs and down. We've asked Paul and Petr to not focus on the common-features document and move that content back into their draft. The authors of draft-rescorla-dprive-adox-latest will be incorporating concepts from draft-schwartz-dprive-name-signal as a next step for the authenticated encryption proposal. This should provide a more concrete proposal that can be considered for WG adoption. The chairs would like to solicit any input/feedback on the above as we prepare for our session during IETF 111. [SAH] Knowing that there are concerns from the root server operators and operators of some top-level domains about both the server resource overhead of adding support for encryption and the value proposition in doing so, my preference would be for the WG to focus on solutions for authoritative name servers serving zones that aren’t delegation-centric. The recursive-to-authoritative resolution environment is already heterogeneous, and data minimization techniques (such as QNAME minimization) are available to reduce information disclosure during exchanges at the delegation-centric levels. There may be more interest in experimentation using non-delegation-centric zones and name servers where the data minimization techniques aren’t available, and those experiments can help guide the “increased deployment in other parts of the DNS hierarchy” mentioned in the statement from the root server operators [1]. [1] https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf Scott
- [dns-privacy] WG strategy on opportunistic vs aut… Tim Wicinski
- Re: [dns-privacy] WG strategy on opportunistic vs… Stephen Farrell
- Re: [dns-privacy] WG strategy on opportunistic vs… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WG strategy on opportunis… Paul Hoffman
- Re: [dns-privacy] [Ext] WG strategy on opportunis… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WG strategy on opportunis… Paul Hoffman
- Re: [dns-privacy] [Ext] WG strategy on opportunis… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WG strategy on opportunis… Vladimír Čunát