Re: [dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt
Tony Finch <dot@dotat.at> Tue, 12 March 2019 18:59 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 509031312FA for <dns-privacy@ietfa.amsl.com>; Tue, 12 Mar 2019 11:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8I7Tqc9CgQ_Q for <dns-privacy@ietfa.amsl.com>; Tue, 12 Mar 2019 11:59:15 -0700 (PDT)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 682511312F6 for <dns-privacy@ietf.org>; Tue, 12 Mar 2019 11:59:15 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:39448) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1h3mcL-000d2T-Jg (Exim 4.91) (return-path <dot@dotat.at>); Tue, 12 Mar 2019 18:59:13 +0000
Date: Tue, 12 Mar 2019 18:59:12 +0000
From: Tony Finch <dot@dotat.at>
To: Sara Dickinson <sara@sinodun.com>
cc: dns-privacy@ietf.org
In-Reply-To: <E0444CA6-950E-415F-AC18-A84D4EED3F7F@sinodun.com>
Message-ID: <alpine.DEB.2.20.1903121847320.13313@grey.csi.cam.ac.uk>
References: <155232711132.23203.9091918574406750404.idtracker@ietfa.amsl.com> <E0444CA6-950E-415F-AC18-A84D4EED3F7F@sinodun.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/7_QOVu3ui6_52392zarX2c0xbbg>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 18:59:18 -0000
Sara Dickinson <sara@sinodun.com> wrote: > > A new draft has been submitted outlining using DNS-over-TLS for zone transfers. I've had a brief skim. It's entirely driven by zone confidentiality, which is a fine thing, but from my point of view the interesting possibility is to get transport integrity (like TSIG) but with much simpler key management. Single-ended public key authentication of the primary with IP-based access control for secondaries should be an easy upgrade that do not currently use TSIG, and really nice for stealth secondaries. Double-ended public key auth will help reduce the need to break out gpg for key exchange with oldskool third-party secondarying arrangements. So I think this is interesting from the dnsop perspective as well as dprive. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ an equitable and peaceful international order
- Re: [dns-privacy] Fwd: New Version Notification f… Wessels, Duane
- [dns-privacy] Fwd: New Version Notification for d… Sara Dickinson
- Re: [dns-privacy] Fwd: New Version Notification f… Tony Finch