Re: [dns-privacy] [Ext] Re: ADoT requirements for signalling?

"John Levine" <johnl@taugh.com> Thu, 31 October 2019 19:39 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845B712084E for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=BT8sMTYF; dkim=pass (1536-bit key) header.d=taugh.com header.b=3Ir8H+mQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHTDC51VtPrX for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:39:10 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0ABF120142 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:39:01 -0700 (PDT)
Received: (qmail 79862 invoked from network); 31 Oct 2019 19:39:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=137f4.5dbb3854.k1910; i=printer-iecc.com@submit.iecc.com; bh=wyitQgLCfVc2vZIFrUwABXzo5l8jEWvHnCM31zQAmjU=; b=BT8sMTYFh0NZP4S/NOhgkjGWcIeNsniLloLNaupjrT2+5G/8BSreRIFKXFea903CaswUi5i7HqsfbHOawAoBSA+uMWbvJNVDk+MOivmY0CByyM06dm+TwJI//u3uhsXdLRS9PnwD0819yFs/SMVo3m0RT+vsxhwkB1py3224oIOjP7Hi5nB6R09eLO79xbhvp6jU7kX2kTKapHM4mnE6TZPCSRMiyZvjvz5kYZCQ7vjLLWkB3xI91b9ACU93i8Yk
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=137f4.5dbb3854.k1910; olt=printer-iecc.com@submit.iecc.com; bh=wyitQgLCfVc2vZIFrUwABXzo5l8jEWvHnCM31zQAmjU=; b=3Ir8H+mQceyIvrN2QhA/RDI4DTlWxSYtlkqTuvl27aTkhUtQxvjRdWZrSPuM9nRtm4wbirn1rjycG5eeXzkwc0oThUHjKpiJkqogaeh8mZPIwFaUJMIr19LCjXR48LTsrOear4r940/pUpBSVEo6ct2RIV4epHrqyCYk3r49r/U+/zywf2VgJ9ruNT/9MvWJlzcJn1F1XBdM7hhheSXjE0cjWl4KNt0mMnJlgY983fXiRchIorMcv2yvNXVxAo2V
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP6; 31 Oct 2019 19:38:59 -0000
Received: by ary.qy (Postfix, from userid 501) id 8DCA3DBB4FF; Thu, 31 Oct 2019 15:38:59 -0400 (EDT)
Date: Thu, 31 Oct 2019 15:38:59 -0400
Message-Id: <20191031193859.8DCA3DBB4FF@ary.qy>
From: John Levine <johnl@taugh.com>
To: dns-privacy@ietf.org
Cc: brian.peter.dickson@gmail.com
In-Reply-To: <CAH1iCiqf_iAp4TRtCrnCOqB2S71RmhG9EeYeugENDtJKEXWWww@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/1gUyNZxA7UObU4oOCtBw3vicYy4>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for signalling?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 19:39:12 -0000

In article <CAH1iCiqf_iAp4TRtCrnCOqB2S71RmhG9EeYeugENDtJKEXWWww@mail.gmail.com> you write:
>I think there will be both interest and deployment, sufficient to justify
>the effort.

I hope so, but some actual comments from large DNS operators would be welcome.

>root-servers.net be DNSSEC signed, but without a secure delegation. ...

Do any DNS resolvers use root-servers.net?  I thought they took an IP
address from the local cache file and then an NS query to get the
current root set.  This doesn't strike me as a problem we urgently
need to solve.

>(Also, I think the ADoT requirements should include an assumption that ADoT
>is not supported unless the nameserver name explicitly signals such at or
>under the nameserver's name.)

I'm not yet prepared to rule out approaches where the parent sends the signal.

R's,
John