Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
Eric Rescorla <ekr@rtfm.com> Fri, 01 November 2019 14:13 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3CB12010C for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 07:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OflJOa0X9QEM for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 07:13:40 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D7E1200B7 for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 07:13:40 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id w8so10355922lji.13 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 07:13:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=klvqlOzeW1rw6uCzoBDkNGXg97pZgQ5xlNuhW3HU8RE=; b=GYOnUtc8cBgnh7qEBJZZAX6CWL5HCncx+PHGycIVCDCEzMRqkhkcp2dDneMTM9WIEC MJXsLkYcVUCJbtWSPO0ho2z+MQhK74dEhhG4zI/Keo4bHfTyFnnPo75sjBQVm7izCmch JNw6UJkyyrqkOXrpBkLhT9GaWY3t/hErF+xnrnphb+S/JmkSjHT0l6FZrIfsOatiPZis LP1BpPLSp7Q/xIJGUHqjH10vA1mgyEBDFF/2S1wa4mnEjB0nNrqrs6pJM1K8hcltC7X0 jqTG3B+XVyaNjg1OCBRVsJ0Wg30FV4XpxTnqTot8JjqIfych73+nQVAE2t4+5D4584oe tlCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=klvqlOzeW1rw6uCzoBDkNGXg97pZgQ5xlNuhW3HU8RE=; b=Qaph1VyPXRLWZTj/AxA/CRWUF6g8JBqePC4UacjcRICnwl3mm5Qn1ttFT4pF3syVt9 Kz8hXGza7hFx0c+fJfS0gb2QrsF32neh9EWsSFmwXevfID95DfLlTwPcNkzkOV8Xct+h gwFjpI1JmxL3z1sHonDbX+d70OyJ7F9dzStlCaF4qRg2Kqf5+3MDLStftKxNMVnrXewi e0SRPfTIVNtwCU90zYzLu+lr74jPBXJUQYvtg4luB3bmdHRReN96hrED1kbjV8PdhmMf FzUEIy7aAsgNgI+T5LkI83W0DNGMktDBtnC2Gpua8oRQJBRLXV0DfimYTiXJ5FJ9/hUq hHVw==
X-Gm-Message-State: APjAAAUodIw0IRK+IYZl7G3mdppQ82BVRtyaTP5fo2eNj+9cnjYkJm/U w3VpneEII90LTmOGN1bVXZwlRqB9Fc/a/ofFppYSvDUGz50=
X-Google-Smtp-Source: APXvYqwAjn4ieitNJk3KTuHnMGkcXmhleYmQhAeWGuZ8YUHUE20F7HuFqDjW9quneGeHK6Mg9OjBCjHNMC8q97FiWBU=
X-Received: by 2002:a2e:a303:: with SMTP id l3mr8364372lje.38.1572617618719; Fri, 01 Nov 2019 07:13:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsDwDoTQN8Y5Zk7rSVepjwwyatEyAA6f0oJ9DESmAfHfXg@mail.gmail.com> <20191031211222.A6422DBC1C7@ary.qy> <CAH1iCiqYoXMZ0U3yt8AjUXyZVRdDnmHzSpHvYmg++ACZ-U6=zA@mail.gmail.com> <CABcZeBP-k23ZY=f6Lv5A+B+Z_4ar_9ea=G7O+KRriXNLUzKGqw@mail.gmail.com> <95e65176-0b80-fbe0-8409-11fada175c67@nic.cz>
In-Reply-To: <95e65176-0b80-fbe0-8409-11fada175c67@nic.cz>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Nov 2019 07:13:01 -0700
Message-ID: <CABcZeBPCMBDEGTpVULJgQEz_5Ddv27jayMxaW-fqXL3HQrqbyw@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000882089059649928a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6gErAV302fp7gdgj9MKdFfDRTko>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 14:13:42 -0000
On Thu, Oct 31, 2019 at 11:56 PM Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > On 11/1/19 1:37 AM, Eric Rescorla wrote: > > Hmm..... I think that's only true if you are assuming that the NS > > record for the leaf is DNSSEC secured, but that doesn't seem like a > > safe assumption. > > Generally speaking, I believe it's fine to add assumptions about DNSSEC > validation, if that makes the ADoT protocol "better" in some way. (and > I expect it will) It seems that DNSSEC will be much easier than this > new stuff. > Easier for who? The advantage of transport security in this setting is that the authoritative can just deploy it for all their users without any interaction with the user. By the way, I'm personally not yet 100% convinced by TLS and might e.g. > add QUIC into consideration > Well, DoQ seems like an interesting direction, but I'm not sure what you mean by "not 100% convinced by TLS". -Ekr
- [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] DPRIVE Interim: 10/29 Allison Mankin
- Re: [dns-privacy] DPRIVE Interim: 10/29 tjw ietf
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Rob Sayre
- Re: [dns-privacy] DPRIVE Interim: 10/29 Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- [dns-privacy] ADoT requirements for authenticatio… Paul Hoffman
- Re: [dns-privacy] ADoT requirements for authentic… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Hoffman
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Christian Huitema
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Watson Ladd
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ralf Weber
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] ADoT requirements for authentic… Tony Finch
- Re: [dns-privacy] [EXTERNAL] Re: [Ext] Re: DPRIVE… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] ADoT deployment at the root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] ADoT deployment at the root Ted Hardie
- Re: [dns-privacy] ADoT deployment at the root Warren Kumari
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] ADoT deployment at the root John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Stephen Farrell
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman