IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 29 May 2020 15:39 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 946713A0CA8 for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 08:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ne77KwBlgRUF for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 08:39:16 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679AB3A0C89 for <dns-privacy@ietf.org>; Fri, 29 May 2020 08:39:16 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 8370D6A305; Fri, 29 May 2020 17:39:13 +0200 (CEST)
Received: from plato (e82143.upc-e.chello.nl [213.93.82.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 644EE3C0382; Fri, 29 May 2020 17:39:13 +0200 (CEST)
Message-ID: <79c8d207a1215ed0a34d05236ca5dda228ac09a6.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Fri, 29 May 2020 17:39:12 +0200
In-Reply-To: <alpine.LRH.2.21.2005291115060.31882@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com> <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com> <a8f44365b9b3a079753f8286cc19fbb241996bf5.camel@powerdns.com> <CAHbrMsAhKB9=nPfnmYzT-tu8-XMYNwyyuYM3T9106iWNzPpDAQ@mail.gmail.com> <alpine.LRH.2.21.2005272118320.18445@bofh.nohats.ca> <10319d748a2ecc2c4e8cad7b8fb545a1f65ff925.camel@powerdns.com> <alpine.LRH.2.21.2005291115060.31882@bofh.nohats.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/4vj0j0n696MzJBD_TIMMQbUniWo>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 15:39:18 -0000

On Fri, 2020-05-29 at 11:25 -0400, Paul Wouters wrote:
> On Fri, 29 May 2020, Peter van Dijk wrote:
> 
> > On Wed, 2020-05-27 at 21:27 -0400, Paul Wouters wrote:
> > > It would make everything a LOT cleaner and we got no bogus
> > > DNSKEY records to ignore in our DNSSEC validation path.
> > 
> > What bogus DNSKEY records?
> 
> It really all depends on what registry systems you want to support.

Right! Preferably as many as possible - that's why the process in the
draft looks more convoluted than would be desirable.

Note that the DNSSEC validation paths in existing resolvers already
ignore DNSKEYs for algos they do not support.

> We have some combo's:

Thanks, I'm going to go through them one by one just in case you
spotted any interesting edge cases.

> - Takes any DS    --> give our DS with DoT info embedded

Right, easy.

> - Takes DS, but verifies it is a real DNSKEY at the child --> we create bogus DNSKEY matching our DS request

I am hoping, also for 'normal' DNSSEC reasons (like key rolls) that no
registry does this.

> - Takes any CDS   --> Put our info in zone as CDS 

Yes.

> - Takes CDS, but verifies it is a real DNSKEY at the child --> we create bogus DNSKEY matching our CDS request

Hopefully as above.

> - Takes DNSKEY, only does syntax checks ---> we dont need to publish anything

Yes.

> - Takes DNSKEY, verifies it lives in child --->  we create bogus DNSKEY

Hopefully as above.

> - Takes DNSKEY, but verifies it is a supported algorithm --> we have to convince them to support our pseudo alg

Yes, and, we found out and will put in -01: to allow 'weird' flags for
at least that algo.

(Incidentally you might one day run into the same question with
DELEGATION_ONLY, although a zone delegated from a registry would not be
a common place for that flag)

> - Takes any CDNSKEY  ---> we only need to publish as CDNSKEY, not DNSKEY

Yes.

> - Takes CDNSKEY but verifies it lives in child as DNSKEY ---> we need to publish CDNSKEY and bogus DNSKEY

Hopefully as above, again :)

I'm collecting registry issues at 
https://github.com/PowerDNS/parent-signals-dot/issues/22 - I hope that
list never grows a 'demands visible DNSKEY to go with the DS' entry!

> When I say bogus I mean "not a DNSKEY used for DNSSEC validation of DNS data"

Understood now. I think 'bogus' might be the worst possible choice of words though ;)
 
Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email