Re: [dns-privacy] Alternative signalling propsals
Wes Hardaker <wes@hardakers.net> Mon, 17 December 2018 18:04 UTC
Return-Path: <wes@hardakers.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C99130EE1 for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 10:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPlYlB2RMk2P for <dns-privacy@ietfa.amsl.com>; Mon, 17 Dec 2018 10:04:24 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A03128D09 for <dns-privacy@ietf.org>; Mon, 17 Dec 2018 10:04:24 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id E0B0320679; Mon, 17 Dec 2018 10:04:23 -0800 (PST)
From: Wes Hardaker <wes@hardakers.net>
To: "Reed, Jon" <jreed@akamai.com>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
References: <74C380A3-C69F-4340-A723-B134F052953E@akamai.com>
Date: Mon, 17 Dec 2018 10:04:23 -0800
In-Reply-To: <74C380A3-C69F-4340-A723-B134F052953E@akamai.com> (Jon Reed's message of "Fri, 14 Dec 2018 17:43:34 +0000")
Message-ID: <yblwoo8vxlk.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/4x0EEOsoCqCG1tN4yOVbFKbyQPE>
Subject: Re: [dns-privacy] Alternative signalling propsals
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 18:04:27 -0000
"Reed, Jon" <jreed@akamai.com> writes: > On the call, someone (Wes?) proposed an alternative such as records in > the reverse zones. Yes, I think this solves a number of issues and creates new ones. IE, the list of pros and cons for all solutions includes no item with zero "cons" unfortunately. My list for putting a TLSA or similar record at the reverse zone include: pros: - the authoritative server more likely in control of its reverse zone than all the forward zones its serving - the number of reverse zone records to update on a key change is 1 per ip address. The number of name server NS records to update per key change is 1 per zone supported, which is very very large for some servers [1]. - it feels cleaner cons: - not everyone controls their reverse zone easily, especially for those that don't hold at least a /24 allocation. Ironically, I fall into this camp but still think this is a better solution than a name-based one. - requires more lookups - requires the reverse tree for that address be fully signed And probably more pros and cons I'm not thinking of at the moment. [1]: the latest huge DANE support jump at https://stats.dnssec-tools.org/ is due to a large number of zones suddenly enabling DANE/SMTP on one.com. That shows the scale of some of the larger zone holders. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://blog.capturedonearth.com/
- [dns-privacy] Alternative signalling propsals Reed, Jon
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Jon Reed
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Mark Andrews
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Tony Finch
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Petr Špaček