Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 25 September 2020 20:09 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04D63A0992 for <dns-privacy@ietfa.amsl.com>; Fri, 25 Sep 2020 13:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwG1ck9oPagb for <dns-privacy@ietfa.amsl.com>; Fri, 25 Sep 2020 13:09:56 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13FB73A0A21 for <dns-privacy@ietf.org>; Fri, 25 Sep 2020 13:09:47 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id 7CF1F6A241; Fri, 25 Sep 2020 22:09:46 +0200 (CEST)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 5FB933C039B; Fri, 25 Sep 2020 22:09:46 +0200 (CEST)
Message-ID: <b645ce6fe1539287ba8a4a7dcf2f48059d043ec8.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Date: Fri, 25 Sep 2020 22:09:45 +0200
In-Reply-To: <CAHbrMsCvbxi0q7X5TGkDq_kOVPecVYhYm4VF6UD75U=tKsiyGg@mail.gmail.com>
References: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net> <CAHbrMsCvbxi0q7X5TGkDq_kOVPecVYhYm4VF6UD75U=tKsiyGg@mail.gmail.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/3UEMxx0XLAtMnA-PlNRy7B4ixzs>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 20:10:05 -0000
Hi Ben, On Mon, 2020-08-10 at 10:07 -0400, Ben Schwartz wrote: > I do not support adopting this draft as-is. I think this construction is very clever, and points us in the right direction for authentication, but it's extremely inflexible in regard to the transport protocol and key updates. As the draft notes, "a change in TLS keys on an auth may require DS updates for thousands or even hundreds of thousands of domains", which may not be under the administrative control of the authoritative server operator. This seems likely to make key rotation effectively impossible in many potential deployments, as rotation cannot occur until _all_ customers have updated their zones. > > This draft could be suitable for "experimental" status, but for a "standards track" document I think we should start with a design that addresses these problems. Because I still believe this approach would work for many domain owners, I think experimental would make perfect sense, but at this point I'm unsure the WG even has appetite for that, and that is very understandable. (and I agree with Paul Hoffman and others that we have plenty of proposals, fully worked out or not, but not a lot of agreement on what the actual shape is of the problem we are solving.) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [dns-privacy] Call for adoption: draft-vandijk-dp… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Ben Schwartz
- Re: [dns-privacy] Call for adoption: draft-vandij… Ralf Weber
- Re: [dns-privacy] [Ext] Call for adoption: draft-… Paul Hoffman
- Re: [dns-privacy] Call for adoption: draft-vandij… Paul Wouters
- Re: [dns-privacy] Call for adoption: draft-vandij… John Levine
- Re: [dns-privacy] Call for adoption: draft-vandij… Vladimír Čunát
- Re: [dns-privacy] Call for adoption: draft-vandij… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- [dns-privacy] the rec/auth dot problem, was Re: C… Tony Finch