[dns-privacy] Complete changes to the (no longer just) opportunistic ADoT draft
Paul Hoffman <paul.hoffman@icann.org> Mon, 22 February 2021 21:27 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5693A208D for <dns-privacy@ietfa.amsl.com>; Mon, 22 Feb 2021 13:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvZr3hZdYSZ8 for <dns-privacy@ietfa.amsl.com>; Mon, 22 Feb 2021 13:27:36 -0800 (PST)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34CD03A2064 for <dprive@ietf.org>; Mon, 22 Feb 2021 13:27:35 -0800 (PST)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 11MLRYYl006920 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dprive@ietf.org>; Mon, 22 Feb 2021 21:27:34 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Mon, 22 Feb 2021 13:27:33 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.008; Mon, 22 Feb 2021 13:27:33 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: Complete changes to the (no longer just) opportunistic ADoT draft
Thread-Index: AQHXCWGIKOmpibYQCE+yDbc28QfoRg==
Date: Mon, 22 Feb 2021 21:27:33 +0000
Message-ID: <5478A187-BF50-4ACB-8A6C-BDE56233F4A7@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_4114FFA9-7FE7-41E7-A062-618418BF5B67"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-22_07:2021-02-22, 2021-02-22 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6rZzBbQgywhC58Yb94cntfxPS04>
Subject: [dns-privacy] Complete changes to the (no longer just) opportunistic ADoT draft
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2021 21:27:45 -0000
Greetings again. You probably just saw the announcement of draft-ietf-dprive-opportunistic-adotq-01. After the discussion on the list about us having to make the opportunistic draft track the (unpublished) fully-authenticated draft, Peter and I decided it would be easier for the WG to keep both ideas in their heads by making a single draft that covers both opportunistic and fully-authenticated ADoT. Thus, the new draft his titled "Recursive to Authoritative DNS with Encryption" because it covers both use cases and the process for both types of resolvers. (Clearly, we should change the draft's filename after the draft submission window opens again in two weeks.) We tried hard to make the protocol description as short as possible by not repeating steps that are the same for all resolvers, but also to clearly differentiate when something is different. The changes are so massive that the diff is useless; you have to read this as a new document. This is just a first attempt at a combined-use-case document. There are certainly holes, and probably places where people will want to change the protocol for their preferred use case. (Of course, if people hate the idea of a single document, we can do another version of this that just covers the opportunistic use case, and proponents of the fully-authenticated use case can use it as a template for their work.) One obvious set of changes we will ask the WG about is adding DoQ throughout. In our structuring of the new document, we don't think that will be too disruptive. Please review and comment. Please remember that this is a very early version and is not meant to be complete now, but we will certainly want it to be so over the course of many months. --Paul Hoffman
- [dns-privacy] Complete changes to the (no longer … Paul Hoffman
- Re: [dns-privacy] Complete changes to the (no lon… Hollenbeck, Scott
- [dns-privacy] On "complete changes" Paul Hoffman
- Re: [dns-privacy] Complete changes to the (no lon… Ben Schwartz