IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

Sara Dickinson <sara@sinodun.com> Wed, 01 November 2017 09:17 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4BF313F66D for <dns-privacy@ietfa.amsl.com>; Wed, 1 Nov 2017 02:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m41kupBLqxlM for <dns-privacy@ietfa.amsl.com>; Wed, 1 Nov 2017 02:17:58 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36D3C13F66A for <dns-privacy@ietf.org>; Wed, 1 Nov 2017 02:17:58 -0700 (PDT)
Received: from [2001:b98:204:102:fffa::14b4] (port=60778) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sara@sinodun.com>) id 1e9p9m-0000SP-Sv; Wed, 01 Nov 2017 09:17:55 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <92DED45D-F74C-49CA-895D-3F1D33FA4179@sinodun.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_40541CE6-C1CA-4DD2-98FD-F304B765DB2B"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 01 Nov 2017 09:17:46 +0000
In-Reply-To: <d0884f33-4258-24b5-7ead-66a7c64dd78a@cs.tcd.ie>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dns-privacy@ietf.org
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com> <871slkd66k.fsf@fifthhorseman.net> <alpine.LRH.2.21.1710301539500.31082@bofh.nohats.ca> <7709D3C3-D879-421B-B81A-7908F521B9D5@sinodun.com> <E4F9F152-ACCA-4C75-A6A4-00E10B2025AB@vpnc.org> <d0884f33-4258-24b5-7ead-66a7c64dd78a@cs.tcd.ie>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: 3
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/BMA8RZrT5OKjOMxgsbFgPvRM358>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 09:18:00 -0000

> On 31 Oct 2017, at 18:39, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
> On 31/10/17 15:12, Paul Hoffman wrote:
>> On 31 Oct 2017, at 8:06, Sara Dickinson wrote:
>> 
>>> So maybe “A DNSSEC validating client SHOULD apply the same validation
>>> policy to the A/AAAA meta-query lookup as it does to other queries.”?
>> 
>> That could be misinterpreted to indicate that there has to be some
>> positive validation policy. How about:
>>    A DNSSEC validating client SHOULD apply the same validation policy
>>    to the A/AAAA meta-query lookup as it does to other queries.
>>    A client that does not validate DNSSEC SHOULD apply any policy it
>>    has to the A/AAAA meta-query lookup.
> 
> So I think either of the above could be ok.
> 
> The main thing for me is that we do not insist that a server
> has to get DNSSEC setup before they can do opportunistic DNS
> security. I think the above is ok in that respect.
> 
> Just checking: I think that means that with the opportunistic
> profile, only servers that have DNSSEC setup and where the
> client validates and gets a badly signed response would be
> affected, all other cases would still get DNS privacy of some
> sort. If that's right, I can live with it.

Correct. For opportunistic the use case where the client might get no DNS service is where the client is

 - configured with ONLY an authentication domain name (no IP address)
 - DNSSEC validating and configured to reject BOGUS records (all others accepted)
 - receives BOGUS answers for all configured name servers

Sara.

v2.23.0 | Report a Bug | By Email