IETF Logo Mail Archive

Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt

manu tman <chantr4@gmail.com> Sat, 23 March 2019 20:43 UTC

Return-Path: <chantr4@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3312F130D7A for <dns-privacy@ietfa.amsl.com>; Sat, 23 Mar 2019 13:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08KXBZc6GDbQ for <dns-privacy@ietfa.amsl.com>; Sat, 23 Mar 2019 13:43:24 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88C012AF7F for <dns-privacy@ietf.org>; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id x3so4545226iol.10 for <dns-privacy@ietf.org>; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XEUNKGcqQqMAyenvmh33F0wNdRl2fCBTXWkDWfTKSJs=; b=oNTxyBhJhJt7+W6/hnpJlei9zXiqmtFj15Z6V3ZFqa1uiohGuwlMPf40J92D8QtL0z gPHc3W+2Jx0A1cT2Aciju6bJEVkKCyiHx62fFCCi8eJLewh4okuY7Y7/E16lFFL1kUqI rM6rmUD6nDsbmNX8pMDuMpEJR0lDHvyph/ePPlX5e2KdGRTKXwnfCGf0PXS6sOtahH47 D6JPqgl5Ojo47vtiRwJlwb1KUPMmqyLyKxhWtFCmn9J7whVbr/XIGCBjhscpfDPLmXWm 95J63zz2A8ph4tcgRLYw+G247e3eulDW71P0MPz3WPs5syOciDvfFGx+xuMSGQ/EMmfY H63A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XEUNKGcqQqMAyenvmh33F0wNdRl2fCBTXWkDWfTKSJs=; b=j0mmAb/knS26/f/MPhnqJVpmn4DDoZBjwEoiu1eNN2VdHa2Y+N4PPAzNtjXfDCzuwr c0WA7H2V9Tw8elLBQAuJVZ7+Z6KdxejiezlowE0UPyJFHrvUJ41fy6InVaVQp/HFACju QRA0lE6dF6V5GioOhRAHsLPm/+kImbxPbzWyG9oIBdAElpKGQkGXQUmaJl00isT6EG1w 7OohwgZ6J8veSfCheFDhKRWvFNi16VlqZDLtZ5MRCcqnk4lY+Z7xY3YBdEYVlaPrAxnh dqGb9JRTusWnA3N2vaPrkiRDwGTaKp0irwJQjuijIipkR8I7xxZnMtKzk/aXcDw+pgu0 pVEg==
X-Gm-Message-State: APjAAAUpLbz+EEmhNu4y3sWcfaH36jdmX6bHkapaG4nzoAnY2iT6u1eN rdLClBOEvQmwUAfFwiwGRA7vCvihYdFrr79E7SU=
X-Google-Smtp-Source: APXvYqylcduZF8V58WXW4Ysr38bHjEJNrDXubwfH7Q10Uhtfd1s+KYxx7fiEiIjtEPBYVDgd5RiUKKcFE5yM4NwV3wI=
X-Received: by 2002:a5e:8e4d:: with SMTP id r13mr6724918ioo.80.1553373803006; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAArYzrLNWFBPU2p06mOOBD2GFGKCoM65Lh8wN6vpNx8QuDArwA@mail.gmail.com> <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com>
In-Reply-To: <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com>
From: manu tman <chantr4@gmail.com>
Date: Sat, 23 Mar 2019 21:43:11 +0100
Message-ID: <CAArYzrJxY28nVZ5cQF34juNOP3N6f3Rw-DL0vFXFHqoJ+RKmKg@mail.gmail.com>
To: "Reed, Jon" <jreed@akamai.com>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb4d0e0584c905b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6DXCnQP9f5PeBQcUoxFb0DDAujk>
Subject: Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 20:43:26 -0000

Hi Jon,



> However, I also think it should be possible for cloud providers to offer
> DoT transparently, without customers needing to opt-in.   (I’m open to
> rebuttals to that, but I don’t see any obvious drawbacks.)   I’d like to
> see the ability to scale either of these proposals to cloud services, but
> I’m not quite sure how that would work.
>

I think there may be business decisions as to whether or not this will
should transparent to the user vs being able to easily opt them in. I would
wish for this to be transparent and automatically enable wherever possible,
but people in that side of the business (which I am not in) may have
different opinions, I would like to hear those.



>
> Consider the following delegation from the gTLD servers:
>
>
>
> example.com   3600  IN      NS     ns1.clouddnsprovider.com
>
> example.com   3600  IN      NS     ns2.clouddnsprovider.com
>
>
>
> Now, under the clouddnsprovider.com zone, the provider can create the
> necessary DSPKI or base32-encoded NS records for “clouddnsprovider.com”
> in the gTLDs.   But under my reading of this proposal, that means DOT would
> only be used to look up names under “clouddnsprovider.com”, not “
> example.com”.   But, the recursive _*knows*_ that ns1.clouddnsprovider.com
> is capable of doing DoT (assuming TLS negotiation was successful).
> Therefore, I think it should be able to use DoT to lookup names under
> example.com (or indeed, under any domain which has the same (ns name,
> address) tuple.    I’d like to see this use case explicitly addressed in
> the text of the draft.
>

As is, the SPKI would be used to validate the servers ns{1,2}.
cloudprovider.com but there is definitely a disconnect when it is out of
bailiwick. We should be able to articulate something for that case though.
I am at the IETF till EOW. Let’s meet and brainstorm how that could work
out for this scenario.

Manu

>
>
> Unfortunately, I’ll only be able to attend the first 10-15 minutes of
> DPRIVE before I have to leave for the airport, but I’d be happy to discuss
> this further in a side-meeting or ad-hoc.
>
>
>
> Thanks,
>
>
>
> Jon
>
>
>
>
>
> --
>
> Jon Reed <jreed@akamai.com>
>
> Senior Performance Engineer
>
> Nameservers Service Performance
>
>
>
>
>
>
>
> *From: *manu tman <chantr4@gmail.com>
> *Date: *Monday, March 11, 2019 at 12:52 PM
> *To: *"dns-privacy@ietf.org" <dns-privacy@ietf.org>
> *Subject: *[dns-privacy] New Version Notification for
> draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
>
>
>
>
>
> During earlier discussion (post virtual meeting), there were a mixture of
> feeling as to where SPKI may be published, here is one proposal bump
> (through the rush of time) to publish it in the parent zone.
>
>
>
>
>
> Manu
>
>
>
> ———
>
>
>
>
>
> A new version of I-D,
> draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
>
> has been successfully submitted by Emmanuel Bretelle and posted to the
>
> IETF repository.
>
>
>
> Name: draft-bretelle-dprive-dot-for-insecure-delegations
>
> Revision: 01
>
> Title: DNS-over-TLS for insecure delegations
>
> Document date: 2019-03-11
>
> Group: Individual Submission
>
> Pages: 7
>
> URL:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01.txt&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=PTJU2WP56vNJ3OnZN8sxwflDDPzJTP2kbMe7zyinhT8&e=
>
> Status:
> https://urldefense.proofpoint..com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e=
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e=>
>
>
>
> Htmlized:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=gwClruoLv-Mu6Sxl37_kCyxOu6Vx5QBV1ppRA0_m5aw&e=
>
> Htmlized:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=MyhcqxSfzLUA2UhuM22MPzog5cLn6OxC_EwQPH7Qe6Y&e=
>
> Diff:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=aXUkzkp72a1sBvkWpiF9xYstuFWDnXcVoJTRRtLN2tA&e=
>
>
>
> Abstract:
>
> This document describes an alternative mechanism to DANE ([RFC6698])
>
> in order to authenticate a DNS-over-TLS (DoT [RFC7858]) authoritative
>
> server by not making DNSSEC a hard requirement, making DoT server
>
> authentication available for insecure delegations.
>
>
>
>
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
>
> until the htmlized version and diff are available at tools.ietf.org
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=_xTHEvws93UZ7jl9jhO7Pg&m=Wd41zdFrBer8CbvE8IcsmswCHFw9t1jpnqp_Gc9ifmk&s=4W3NnQBFNBwU4tl-AbrJMTVqBokRnB5hZQQuQZNlinQ&e=>
> .
>
>
>
> The IETF Secretariat
>
>

v2.23.0 | Report a Bug | By Email