IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?

Eric Rescorla <ekr@rtfm.com> Fri, 01 November 2019 14:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3CB12010C for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 07:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OflJOa0X9QEM for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 07:13:40 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D7E1200B7 for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 07:13:40 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id w8so10355922lji.13 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 07:13:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=klvqlOzeW1rw6uCzoBDkNGXg97pZgQ5xlNuhW3HU8RE=; b=GYOnUtc8cBgnh7qEBJZZAX6CWL5HCncx+PHGycIVCDCEzMRqkhkcp2dDneMTM9WIEC MJXsLkYcVUCJbtWSPO0ho2z+MQhK74dEhhG4zI/Keo4bHfTyFnnPo75sjBQVm7izCmch JNw6UJkyyrqkOXrpBkLhT9GaWY3t/hErF+xnrnphb+S/JmkSjHT0l6FZrIfsOatiPZis LP1BpPLSp7Q/xIJGUHqjH10vA1mgyEBDFF/2S1wa4mnEjB0nNrqrs6pJM1K8hcltC7X0 jqTG3B+XVyaNjg1OCBRVsJ0Wg30FV4XpxTnqTot8JjqIfych73+nQVAE2t4+5D4584oe tlCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=klvqlOzeW1rw6uCzoBDkNGXg97pZgQ5xlNuhW3HU8RE=; b=Qaph1VyPXRLWZTj/AxA/CRWUF6g8JBqePC4UacjcRICnwl3mm5Qn1ttFT4pF3syVt9 Kz8hXGza7hFx0c+fJfS0gb2QrsF32neh9EWsSFmwXevfID95DfLlTwPcNkzkOV8Xct+h gwFjpI1JmxL3z1sHonDbX+d70OyJ7F9dzStlCaF4qRg2Kqf5+3MDLStftKxNMVnrXewi e0SRPfTIVNtwCU90zYzLu+lr74jPBXJUQYvtg4luB3bmdHRReN96hrED1kbjV8PdhmMf FzUEIy7aAsgNgI+T5LkI83W0DNGMktDBtnC2Gpua8oRQJBRLXV0DfimYTiXJ5FJ9/hUq hHVw==
X-Gm-Message-State: APjAAAUodIw0IRK+IYZl7G3mdppQ82BVRtyaTP5fo2eNj+9cnjYkJm/U w3VpneEII90LTmOGN1bVXZwlRqB9Fc/a/ofFppYSvDUGz50=
X-Google-Smtp-Source: APXvYqwAjn4ieitNJk3KTuHnMGkcXmhleYmQhAeWGuZ8YUHUE20F7HuFqDjW9quneGeHK6Mg9OjBCjHNMC8q97FiWBU=
X-Received: by 2002:a2e:a303:: with SMTP id l3mr8364372lje.38.1572617618719; Fri, 01 Nov 2019 07:13:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsDwDoTQN8Y5Zk7rSVepjwwyatEyAA6f0oJ9DESmAfHfXg@mail.gmail.com> <20191031211222.A6422DBC1C7@ary.qy> <CAH1iCiqYoXMZ0U3yt8AjUXyZVRdDnmHzSpHvYmg++ACZ-U6=zA@mail.gmail.com> <CABcZeBP-k23ZY=f6Lv5A+B+Z_4ar_9ea=G7O+KRriXNLUzKGqw@mail.gmail.com> <95e65176-0b80-fbe0-8409-11fada175c67@nic.cz>
In-Reply-To: <95e65176-0b80-fbe0-8409-11fada175c67@nic.cz>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Nov 2019 07:13:01 -0700
Message-ID: <CABcZeBPCMBDEGTpVULJgQEz_5Ddv27jayMxaW-fqXL3HQrqbyw@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000882089059649928a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6gErAV302fp7gdgj9MKdFfDRTko>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 14:13:42 -0000

On Thu, Oct 31, 2019 at 11:56 PM Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
wrote:

> On 11/1/19 1:37 AM, Eric Rescorla wrote:
> > Hmm..... I think that's only true if you are assuming that the NS
> > record for the leaf is DNSSEC secured, but that doesn't seem like a
> > safe assumption.
>
> Generally speaking, I believe it's fine to add assumptions about DNSSEC
> validation, if that makes the ADoT protocol "better" in some way.  (and
> I expect it will)  It seems that DNSSEC will be much easier than this
> new stuff.
>

Easier for who? The advantage of transport security in this setting is that
the authoritative can just deploy it for all their users without any
interaction with the user.


By the way, I'm personally not yet 100% convinced by TLS and might e.g.
> add QUIC into consideration
>

Well, DoQ seems like an interesting direction, but I'm not sure what you
mean by
"not 100% convinced by TLS".

-Ekr

v2.23.0 | Report a Bug | By Email