IETF Logo Mail Archive

Re: [dns-privacy] [Ext] DS glue

Alexander Mayrhofer <alex.mayrhofer.ietf@gmail.com> Thu, 19 August 2021 16:54 UTC

Return-Path: <alex.mayrhofer.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862833A0BE6 for <dns-privacy@ietfa.amsl.com>; Thu, 19 Aug 2021 09:54:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4Q5B994i4KW for <dns-privacy@ietfa.amsl.com>; Thu, 19 Aug 2021 09:54:53 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A329D3A0BDA for <dns-privacy@ietf.org>; Thu, 19 Aug 2021 09:54:52 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id w20so14335780lfu.7 for <dns-privacy@ietf.org>; Thu, 19 Aug 2021 09:54:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=u99SqIu5mdaNVriyNH8+SQi0vTAr4w/bHR4lHgU8skc=; b=anMq4jAITuiub0R/vlnUXrIydBIZSCgOEhzddbdHXO6bw9Njp6rA5flLa6AHfoUYRB HNGId5cgkldtc4BlnJmp4x3b8MRHqiX/Tkon99PFSN3qbkqDJA2Agm/NSDZyoysbY9XJ ssMRw+JS3KwdKJ0+PXmDSTCnGvYbFC6zQcnbWX8fzzlXcOJhJeS8AtgkNhl+kpgucLlT 32kALgcrwZZK+SZp5U3yzTDTrIgq08gN0oldcvj76JYCV9qV7EktQHFyO+LzXyxiMnPU tqJ2bJ9LJc/MeGKVhURYDKLRQ04qTR8pGqna9VSrwDQr/mL9A2mQygkyanWPwx5+Jv8G uLlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=u99SqIu5mdaNVriyNH8+SQi0vTAr4w/bHR4lHgU8skc=; b=Cgd9o2zK3r3qJm7Kv0lcekg9pzbwdYqTDQB/d6PkawpnY7jfsNMgCS2Y5mIWKQpzVE jsKKrGHb6mElYPXf/NwlcCxg64OsVI1vsuwjbI2sUEN8cPT0/wsTpFTlWD3pdqL4s8P7 7F8K9vaxT7wWmD10c4yv5th9at4+yBBaqlV1tafcUKn+akCs6gG0aGJn+G5EiIbr8hZQ lPmTvYcBU1/JtECO2UoQLrKfLQPETQqPpxkpLy3LgvggPiBwiF3M79d8Kr6k6v4Mta1O K7b4vjE8t3zfVkCCQJyzPs2q3BwOCkos3+Y98KBh7UaszneNJR5a/Q7uY1zMPaZrJs2e lbHA==
X-Gm-Message-State: AOAM5333s5XV/rj+XdD0Bl6tb5QaAo0jspWJ63bG3ARU4MCFwxUMqS7l 7ujY0oKQgWDBz3GelxQKGFBejWoGTFt9kZVeFHZbtNDl
X-Google-Smtp-Source: ABdhPJwOM2EW2K+vKum+h+fKkraUdjO7uHYtN7+RZO0G4kwADU0FPlRiaviuxTM4KksKBiy6vxtnEdWfttLMgwn+7aY=
X-Received: by 2002:a19:f819:: with SMTP id a25mr11242329lff.203.1629392085633; Thu, 19 Aug 2021 09:54:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com> <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org> <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com> <E0430A84-D844-4B79-B71F-A92A21942329@icann.org> <CAHbrMsCPPq-o8U4mhFPZ1U+GE+57yneEGo7AD5uDQ_QDDUO0rw@mail.gmail.com> <03FDA925-2BC3-4830-B27B-5F6E19676678@icann.org> <CAPp9mxJM1b4+OFHX0x6QwhoJpE+8Sz82K_e=DJ9EJFaK691_3Q@mail.gmail.com> <4AE29BBE-9B29-4E89-93CF-14153B25FD5C@icann.org> <CAHbrMsBQ88mKx-FLU0KT8W-AGyi=3HS3f5nuSO93-TOo_HTyNw@mail.gmail.com> <936E4261-D804-43B8-B3BB-9D309F8CFAF4@icann.org> <E1E41EDC-8BF9-47D8-97D7-EB6F7EF1A5B3@icann.org> <CAHbrMsAUBWZ6Gs=QsqxRLNR4MjmnieE2RM4KLTUpCP+nE0jDNw@mail.gmail.com>
In-Reply-To: <CAHbrMsAUBWZ6Gs=QsqxRLNR4MjmnieE2RM4KLTUpCP+nE0jDNw@mail.gmail.com>
From: Alexander Mayrhofer <alex.mayrhofer.ietf@gmail.com>
Date: Thu, 19 Aug 2021 18:54:34 +0200
Message-ID: <CAHXf=0q0VE23btHH2j+a-7xVL6vzFxdxidQd5PD2iA6mhxjnNw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Paul Hoffman <paul.hoffman@icann.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/DBwNMUEPJ9uEYcJCl1tqthO0MnA>
Subject: Re: [dns-privacy] [Ext] DS glue
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 16:54:59 -0000

Ben,

I've reviewed the draft, thanks for writing it up. I do think it's an
excellent shot at addressing the problem of authenticated encryption,
and very mature already. Speaking as a TLD registry operator, i agree
that the glue provisioning path is extremely slow to upgrade, so
"staying under the radar" by using an existing, reasonably well
deployed RR type is the only feasible "fast" way forward (for medium
values of "fast", as it will take some time and effort for the new
algorithm type to be enabled). Getting wide deployment for an EPP
extension to provision SVCB directly would take at least a decade..  -
So, i like this alternative a lot.

However, i'm a bit more cautious when it comes to generalizing DS-GLUE
to other use cases, particularly conveying NS records. It's cool to
have a generic mechanism to convey arbitrary records, but once those
records overlap with a "legacy deployment", we need to be very very
careful about the interactions between those two channels (eg. domain
name owners expecting they can safely remove the NS records from the
registry, because they supply those records in DS-GLUE already). I
think there should be some text in the draft about this in future
revisions. Maybe we should even restrict DS-GLUE to a set of
pre-defined use cases.

best,
Alex

On Tue, Aug 10, 2021 at 7:26 PM Ben Schwartz
<bemasc=40google.com@dmarc.ietf.org> wrote:
>
> I've now uploaded https://datatracker.ietf.org/doc/html/draft-schwartz-ds-glue-01, with clarifications and corrections based on comments from Paul Hoffman and Ilari Liusvaara (thanks both).
>
> On Tue, Aug 10, 2021 at 12:16 PM Paul Hoffman <paul.hoffman@icann.org> wrote:
>>
>> >> Hi DPRIVE.  I've written this up as a proper I-D at https://datatracker.ietf.org/doc/html/draft-schwartz-ds-glue-00.  Please review.
>>
>> Peter and I talked yesterday, and we see how to update draft-ietf-dprive-unauth-to-authoritative to incorporate "if you're a validating resolver, you SHOULD process DSGLUE during the NS lookup so that you might be able to encrypt the first time". This model seems to be the best so far to give the needed information in the parent. It would be good to hear if the WG wants to go in this direction.
>>
>> --Paul Hoffman_______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email