IETF Logo Mail Archive

[dns-privacy] Authenticating DoT nameservers for insecure delegations

manu tman <chantr4@gmail.com> Fri, 28 September 2018 15:33 UTC

Return-Path: <chantr4@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB40130E1E for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 08:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mb5wrXfwEsV6 for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 08:33:02 -0700 (PDT)
Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50CA0128C65 for <dns-privacy@ietf.org>; Fri, 28 Sep 2018 08:33:02 -0700 (PDT)
Received: by mail-it1-x136.google.com with SMTP id 134-v6so2965550itz.2 for <dns-privacy@ietf.org>; Fri, 28 Sep 2018 08:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Vk3o9kH+6kkya7tZBroL2uwQsw34cP3lqQBWFv1vR4w=; b=oyim981LZw0FoFrtl7cJdXMSgdyChcOZaukYIE2WRJZGpiLZw+3qIJz44cOFDdbV4n KbdtP9lAJxo9jNWwUH8QKCIuKqLXr8Dadrp/vXkthuBda/amzB50hy6HCpE0cxVq4wkD xfTv0tog67cY5J37zCoWTPaUeC2qYj+JJgPsSFteCLlxT9LwiTI0SSibKxQLbFjlsqwF RIwGzpjZNYHPP65rnRXxhY2Hu2TNddRCjvhbRWng9Jj4hKmA9xV7F045JbMIHvUMu3gN 0vEuCkQkugUlzGTZb/kdGirSRqIr516+Se4izF6sJN5tvCI5/xW5Br06aUHV+n4KOkNe yu5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Vk3o9kH+6kkya7tZBroL2uwQsw34cP3lqQBWFv1vR4w=; b=pyGDvOCKsfFEYYlTw2LQ4POPLnb/tvXcbjGfac6Qke6LUGHFZnwzjfBYge4cLvVEER 3i/gHs3qTG3ak6qlS77B7Vc/pihMuc0kUoWQGBYD142DvwroNzqblsI4hWMdr7/tNqZ4 MPelIrY2Zxd2HnDQmkVG4ny+ghNj89iV09h6OQqMKDESzkZ6AecZS5XmDZc1Hf3NtWK2 S1jAIiPXnz97Xs/5o5SNpsyJvc32N/BCAduLb6Fowtt6gH8NQ362ytZc2zvyoWomeQpn W9jYGqtVg2eEiCXBdPJNt6L7sY98h/fyutQJPvxpAqO8Muoyna5oftllXxXxkfQAI/fD MreA==
X-Gm-Message-State: ABuFfogQTn+U/6KcC+zCTNbd2q6aaqzf4VblZ5SmjsOiVXJv2IcT/qis 7BxcJdezYll3FMIAGuDzQX5wmM2t9EH9orXJsgrCdw==
X-Google-Smtp-Source: ACcGV61db478Bb0ewPdDfPWzOkhgdDOp934cG/TVxn3xmdVSpM1BbbjKIbsueaJqeQGKfWAslqthk1uM7g68sn2PIMA=
X-Received: by 2002:a24:7f87:: with SMTP id r129-v6mr1974679itc.107.1538148781312; Fri, 28 Sep 2018 08:33:01 -0700 (PDT)
MIME-Version: 1.0
From: manu tman <chantr4@gmail.com>
Date: Fri, 28 Sep 2018 08:32:50 -0700
Message-ID: <CAArYzr+oJkYM6KRJZ-bJmOt=A6FWzWPjF1havq1RFV5fgWVBEQ@mail.gmail.com>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8d6dc0576f02bc9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/BwCKfXNUngsH9hp0EROVq-vuNJ0>
Subject: [dns-privacy] Authenticating DoT nameservers for insecure delegations
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 15:33:05 -0000

Hi all,

I have been thinking of a way to authenticate DoT servers for delegations
that cannot be validated using DANE as describe in Stephane’s draft
https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01

The idea is to leverage both DNSSEC and SPKI to authenticate a zone but by
relying on the parent to validate the public key. I have documented it at

https://datatracker.ietf.org/doc/draft-bretelle-dprive-dot-for-insecure-delegations/

Feedback is welcomed. Thanks

Manu

v2.23.0 | Report a Bug | By Email