Re: [dns-privacy] [Ext] DS glue
Alexander Mayrhofer <alex.mayrhofer.ietf@gmail.com> Thu, 19 August 2021 16:54 UTC
Return-Path: <alex.mayrhofer.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862833A0BE6 for <dns-privacy@ietfa.amsl.com>; Thu, 19 Aug 2021 09:54:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4Q5B994i4KW for <dns-privacy@ietfa.amsl.com>; Thu, 19 Aug 2021 09:54:53 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A329D3A0BDA for <dns-privacy@ietf.org>; Thu, 19 Aug 2021 09:54:52 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id w20so14335780lfu.7 for <dns-privacy@ietf.org>; Thu, 19 Aug 2021 09:54:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=u99SqIu5mdaNVriyNH8+SQi0vTAr4w/bHR4lHgU8skc=; b=anMq4jAITuiub0R/vlnUXrIydBIZSCgOEhzddbdHXO6bw9Njp6rA5flLa6AHfoUYRB HNGId5cgkldtc4BlnJmp4x3b8MRHqiX/Tkon99PFSN3qbkqDJA2Agm/NSDZyoysbY9XJ ssMRw+JS3KwdKJ0+PXmDSTCnGvYbFC6zQcnbWX8fzzlXcOJhJeS8AtgkNhl+kpgucLlT 32kALgcrwZZK+SZp5U3yzTDTrIgq08gN0oldcvj76JYCV9qV7EktQHFyO+LzXyxiMnPU tqJ2bJ9LJc/MeGKVhURYDKLRQ04qTR8pGqna9VSrwDQr/mL9A2mQygkyanWPwx5+Jv8G uLlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=u99SqIu5mdaNVriyNH8+SQi0vTAr4w/bHR4lHgU8skc=; b=Cgd9o2zK3r3qJm7Kv0lcekg9pzbwdYqTDQB/d6PkawpnY7jfsNMgCS2Y5mIWKQpzVE jsKKrGHb6mElYPXf/NwlcCxg64OsVI1vsuwjbI2sUEN8cPT0/wsTpFTlWD3pdqL4s8P7 7F8K9vaxT7wWmD10c4yv5th9at4+yBBaqlV1tafcUKn+akCs6gG0aGJn+G5EiIbr8hZQ lPmTvYcBU1/JtECO2UoQLrKfLQPETQqPpxkpLy3LgvggPiBwiF3M79d8Kr6k6v4Mta1O K7b4vjE8t3zfVkCCQJyzPs2q3BwOCkos3+Y98KBh7UaszneNJR5a/Q7uY1zMPaZrJs2e lbHA==
X-Gm-Message-State: AOAM5333s5XV/rj+XdD0Bl6tb5QaAo0jspWJ63bG3ARU4MCFwxUMqS7l 7ujY0oKQgWDBz3GelxQKGFBejWoGTFt9kZVeFHZbtNDl
X-Google-Smtp-Source: ABdhPJwOM2EW2K+vKum+h+fKkraUdjO7uHYtN7+RZO0G4kwADU0FPlRiaviuxTM4KksKBiy6vxtnEdWfttLMgwn+7aY=
X-Received: by 2002:a19:f819:: with SMTP id a25mr11242329lff.203.1629392085633; Thu, 19 Aug 2021 09:54:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com> <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org> <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com> <E0430A84-D844-4B79-B71F-A92A21942329@icann.org> <CAHbrMsCPPq-o8U4mhFPZ1U+GE+57yneEGo7AD5uDQ_QDDUO0rw@mail.gmail.com> <03FDA925-2BC3-4830-B27B-5F6E19676678@icann.org> <CAPp9mxJM1b4+OFHX0x6QwhoJpE+8Sz82K_e=DJ9EJFaK691_3Q@mail.gmail.com> <4AE29BBE-9B29-4E89-93CF-14153B25FD5C@icann.org> <CAHbrMsBQ88mKx-FLU0KT8W-AGyi=3HS3f5nuSO93-TOo_HTyNw@mail.gmail.com> <936E4261-D804-43B8-B3BB-9D309F8CFAF4@icann.org> <E1E41EDC-8BF9-47D8-97D7-EB6F7EF1A5B3@icann.org> <CAHbrMsAUBWZ6Gs=QsqxRLNR4MjmnieE2RM4KLTUpCP+nE0jDNw@mail.gmail.com>
In-Reply-To: <CAHbrMsAUBWZ6Gs=QsqxRLNR4MjmnieE2RM4KLTUpCP+nE0jDNw@mail.gmail.com>
From: Alexander Mayrhofer <alex.mayrhofer.ietf@gmail.com>
Date: Thu, 19 Aug 2021 18:54:34 +0200
Message-ID: <CAHXf=0q0VE23btHH2j+a-7xVL6vzFxdxidQd5PD2iA6mhxjnNw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Paul Hoffman <paul.hoffman@icann.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/DBwNMUEPJ9uEYcJCl1tqthO0MnA>
Subject: Re: [dns-privacy] [Ext] DS glue
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 16:54:59 -0000
Ben, I've reviewed the draft, thanks for writing it up. I do think it's an excellent shot at addressing the problem of authenticated encryption, and very mature already. Speaking as a TLD registry operator, i agree that the glue provisioning path is extremely slow to upgrade, so "staying under the radar" by using an existing, reasonably well deployed RR type is the only feasible "fast" way forward (for medium values of "fast", as it will take some time and effort for the new algorithm type to be enabled). Getting wide deployment for an EPP extension to provision SVCB directly would take at least a decade.. - So, i like this alternative a lot. However, i'm a bit more cautious when it comes to generalizing DS-GLUE to other use cases, particularly conveying NS records. It's cool to have a generic mechanism to convey arbitrary records, but once those records overlap with a "legacy deployment", we need to be very very careful about the interactions between those two channels (eg. domain name owners expecting they can safely remove the NS records from the registry, because they supply those records in DS-GLUE already). I think there should be some text in the draft about this in future revisions. Maybe we should even restrict DS-GLUE to a set of pre-defined use cases. best, Alex On Tue, Aug 10, 2021 at 7:26 PM Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > I've now uploaded https://datatracker.ietf.org/doc/html/draft-schwartz-ds-glue-01, with clarifications and corrections based on comments from Paul Hoffman and Ilari Liusvaara (thanks both). > > On Tue, Aug 10, 2021 at 12:16 PM Paul Hoffman <paul.hoffman@icann.org> wrote: >> >> >> Hi DPRIVE. I've written this up as a proper I-D at https://datatracker.ietf.org/doc/html/draft-schwartz-ds-glue-00. Please review. >> >> Peter and I talked yesterday, and we see how to update draft-ietf-dprive-unauth-to-authoritative to incorporate "if you're a validating resolver, you SHOULD process DSGLUE during the NS lookup so that you might be able to encrypt the first time". This model seems to be the best so far to give the needed information in the parent. It would be good to hear if the WG wants to go in this direction. >> >> --Paul Hoffman_______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] DS Hacks Ben Schwartz
- Re: [dns-privacy] DS Hacks Shane Kerr
- Re: [dns-privacy] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Robert Evans
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- [dns-privacy] DS glue Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ilari Liusvaara
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Paul Hoffman
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Alexander Mayrhofer
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Alexander Mayrhofer
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz