Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
manu tman <chantr4@gmail.com> Sat, 23 March 2019 20:43 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3312F130D7A for <dns-privacy@ietfa.amsl.com>; Sat, 23 Mar 2019 13:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08KXBZc6GDbQ for <dns-privacy@ietfa.amsl.com>; Sat, 23 Mar 2019 13:43:24 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88C012AF7F for <dns-privacy@ietf.org>; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id x3so4545226iol.10 for <dns-privacy@ietf.org>; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XEUNKGcqQqMAyenvmh33F0wNdRl2fCBTXWkDWfTKSJs=; b=oNTxyBhJhJt7+W6/hnpJlei9zXiqmtFj15Z6V3ZFqa1uiohGuwlMPf40J92D8QtL0z gPHc3W+2Jx0A1cT2Aciju6bJEVkKCyiHx62fFCCi8eJLewh4okuY7Y7/E16lFFL1kUqI rM6rmUD6nDsbmNX8pMDuMpEJR0lDHvyph/ePPlX5e2KdGRTKXwnfCGf0PXS6sOtahH47 D6JPqgl5Ojo47vtiRwJlwb1KUPMmqyLyKxhWtFCmn9J7whVbr/XIGCBjhscpfDPLmXWm 95J63zz2A8ph4tcgRLYw+G247e3eulDW71P0MPz3WPs5syOciDvfFGx+xuMSGQ/EMmfY H63A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XEUNKGcqQqMAyenvmh33F0wNdRl2fCBTXWkDWfTKSJs=; b=j0mmAb/knS26/f/MPhnqJVpmn4DDoZBjwEoiu1eNN2VdHa2Y+N4PPAzNtjXfDCzuwr c0WA7H2V9Tw8elLBQAuJVZ7+Z6KdxejiezlowE0UPyJFHrvUJ41fy6InVaVQp/HFACju QRA0lE6dF6V5GioOhRAHsLPm/+kImbxPbzWyG9oIBdAElpKGQkGXQUmaJl00isT6EG1w 7OohwgZ6J8veSfCheFDhKRWvFNi16VlqZDLtZ5MRCcqnk4lY+Z7xY3YBdEYVlaPrAxnh dqGb9JRTusWnA3N2vaPrkiRDwGTaKp0irwJQjuijIipkR8I7xxZnMtKzk/aXcDw+pgu0 pVEg==
X-Gm-Message-State: APjAAAUpLbz+EEmhNu4y3sWcfaH36jdmX6bHkapaG4nzoAnY2iT6u1eN rdLClBOEvQmwUAfFwiwGRA7vCvihYdFrr79E7SU=
X-Google-Smtp-Source: APXvYqylcduZF8V58WXW4Ysr38bHjEJNrDXubwfH7Q10Uhtfd1s+KYxx7fiEiIjtEPBYVDgd5RiUKKcFE5yM4NwV3wI=
X-Received: by 2002:a5e:8e4d:: with SMTP id r13mr6724918ioo.80.1553373803006; Sat, 23 Mar 2019 13:43:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAArYzrLNWFBPU2p06mOOBD2GFGKCoM65Lh8wN6vpNx8QuDArwA@mail.gmail.com> <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com>
In-Reply-To: <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com>
From: manu tman <chantr4@gmail.com>
Date: Sat, 23 Mar 2019 21:43:11 +0100
Message-ID: <CAArYzrJxY28nVZ5cQF34juNOP3N6f3Rw-DL0vFXFHqoJ+RKmKg@mail.gmail.com>
To: "Reed, Jon" <jreed@akamai.com>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb4d0e0584c905b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6DXCnQP9f5PeBQcUoxFb0DDAujk>
Subject: Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 20:43:26 -0000
Hi Jon, > However, I also think it should be possible for cloud providers to offer > DoT transparently, without customers needing to opt-in. (I’m open to > rebuttals to that, but I don’t see any obvious drawbacks.) I’d like to > see the ability to scale either of these proposals to cloud services, but > I’m not quite sure how that would work. > I think there may be business decisions as to whether or not this will should transparent to the user vs being able to easily opt them in. I would wish for this to be transparent and automatically enable wherever possible, but people in that side of the business (which I am not in) may have different opinions, I would like to hear those. > > Consider the following delegation from the gTLD servers: > > > > example.com 3600 IN NS ns1.clouddnsprovider.com > > example.com 3600 IN NS ns2.clouddnsprovider.com > > > > Now, under the clouddnsprovider.com zone, the provider can create the > necessary DSPKI or base32-encoded NS records for “clouddnsprovider.com” > in the gTLDs. But under my reading of this proposal, that means DOT would > only be used to look up names under “clouddnsprovider.com”, not “ > example.com”. But, the recursive _*knows*_ that ns1.clouddnsprovider.com > is capable of doing DoT (assuming TLS negotiation was successful). > Therefore, I think it should be able to use DoT to lookup names under > example.com (or indeed, under any domain which has the same (ns name, > address) tuple. I’d like to see this use case explicitly addressed in > the text of the draft. > As is, the SPKI would be used to validate the servers ns{1,2}. cloudprovider.com but there is definitely a disconnect when it is out of bailiwick. We should be able to articulate something for that case though. I am at the IETF till EOW. Let’s meet and brainstorm how that could work out for this scenario. Manu > > > Unfortunately, I’ll only be able to attend the first 10-15 minutes of > DPRIVE before I have to leave for the airport, but I’d be happy to discuss > this further in a side-meeting or ad-hoc. > > > > Thanks, > > > > Jon > > > > > > -- > > Jon Reed <jreed@akamai.com> > > Senior Performance Engineer > > Nameservers Service Performance > > > > > > > > *From: *manu tman <chantr4@gmail.com> > *Date: *Monday, March 11, 2019 at 12:52 PM > *To: *"dns-privacy@ietf.org" <dns-privacy@ietf.org> > *Subject: *[dns-privacy] New Version Notification for > draft-bretelle-dprive-dot-for-insecure-delegations-01.txt > > > > > > During earlier discussion (post virtual meeting), there were a mixture of > feeling as to where SPKI may be published, here is one proposal bump > (through the rush of time) to publish it in the parent zone. > > > > > > Manu > > > > ——— > > > > > > A new version of I-D, > draft-bretelle-dprive-dot-for-insecure-delegations-01.txt > > has been successfully submitted by Emmanuel Bretelle and posted to the > > IETF repository. > > > > Name: draft-bretelle-dprive-dot-for-insecure-delegations > > Revision: 01 > > Title: DNS-over-TLS for insecure delegations > > Document date: 2019-03-11 > > Group: Individual Submission > > Pages: 7 > > URL: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01.txt&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=PTJU2WP56vNJ3OnZN8sxwflDDPzJTP2kbMe7zyinhT8&e= > > Status: > https://urldefense.proofpoint..com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e= > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e=> > > > > Htmlized: > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=gwClruoLv-Mu6Sxl37_kCyxOu6Vx5QBV1ppRA0_m5aw&e= > > Htmlized: > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=MyhcqxSfzLUA2UhuM22MPzog5cLn6OxC_EwQPH7Qe6Y&e= > > Diff: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=aXUkzkp72a1sBvkWpiF9xYstuFWDnXcVoJTRRtLN2tA&e= > > > > Abstract: > > This document describes an alternative mechanism to DANE ([RFC6698]) > > in order to authenticate a DNS-over-TLS (DoT [RFC7858]) authoritative > > server by not making DNSSEC a hard requirement, making DoT server > > authentication available for insecure delegations. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=_xTHEvws93UZ7jl9jhO7Pg&m=Wd41zdFrBer8CbvE8IcsmswCHFw9t1jpnqp_Gc9ifmk&s=4W3NnQBFNBwU4tl-AbrJMTVqBokRnB5hZQQuQZNlinQ&e=> > . > > > > The IETF Secretariat > >
- Re: [dns-privacy] New Version Notification for dr… Peter van Dijk
- [dns-privacy] New Version Notification for draft-… manu tman
- Re: [dns-privacy] New Version Notification for dr… Reed, Jon
- Re: [dns-privacy] New Version Notification for dr… manu tman
- Re: [dns-privacy] New Version Notification for dr… Ilari Liusvaara
- Re: [dns-privacy] New Version Notification for dr… manu tman
- Re: [dns-privacy] New Version Notification for dr… Ilari Liusvaara
- Re: [dns-privacy] New Version Notification for dr… Tony Finch