IETF Logo Mail Archive

Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq

Ben Schwartz <bemasc@google.com> Tue, 16 February 2021 17:01 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4873A0AAF for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 09:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LUDk1XlnLJ2 for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 09:01:26 -0800 (PST)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E525C3A0BFA for <dprive@ietf.org>; Tue, 16 Feb 2021 09:00:52 -0800 (PST)
Received: by mail-io1-xd36.google.com with SMTP id p132so10822597iod.11 for <dprive@ietf.org>; Tue, 16 Feb 2021 09:00:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mr+I9uELK7Oj/oJEFReasAXPHQS1iCA81n6hpaHPVqo=; b=X18g/QOZ9yUqmQQ6b2yk/8uz3cXLBtivUxuCmwQSdiO8aY7V5XhkcgjMKE35xW33uz Zuryb3QgBxcjzGrW2ExtI/xMC6qUK3exAgjuyBWmUnXMhuX3sKpb8XaGNgqIJ04r0n8f emL8ZLbiFzfos+sMvrUi3st8ej0gtbC1OOFZSUqj7R3ox21nYUc/tExiQ2X+FCEGhw0I Rudz1gwfXk/vboPoXz0SPx13A0xax/eNO9doNEB93mALm2FbRMdIvo1QBSI+7Zt0/80a tzgmT5B+amzS0H4ErbODiSt22iEIFFqa1QfdOOxoQOna3+mYdLV9aaU3dWYjet0Lr8Ux 2R3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mr+I9uELK7Oj/oJEFReasAXPHQS1iCA81n6hpaHPVqo=; b=Acwb4P0l+ba8yxiqwf2sSC5P8nrFgE2uqAAy4c6mT/xshyKbVlvknL656gR0CuIosU FOCGHp77BvWV1HESeV12MSRi//umGtAJXn7RyVuvsQYfmAege+B2TRS1Wc7Z1tKEkdUk BeJbcyN3w2yZYlbPxT4FgcYEcEGAWeZIGfFkWtp4wh8MmXCAKSsIyhU6jvHO/oddWanV I2HgQax2AGXeYNcbqeGREBW5a58v4m1YB79MoM+MoX9+TCopds+53ifl5fJx1yq1rfAl OMBM/J3kxveSBDuMunKixot2rPBJHNARoizvol0+UNcuFb3vJKO07qlnimEoan/sZi6i sVzg==
X-Gm-Message-State: AOAM530LOns99BWlMU3Ro+4HDvsH6ixF1rDfXoK5Yu2qxRDhxhYq0hM2 R2l3FPPNATUAB29Tl95tBpZt4HRNC3PtD8sR6KXGqA==
X-Google-Smtp-Source: ABdhPJxpSvF1rbJoHGAIggaMqGylfe9QjdOopZuYInzQwaQ9E5QSoYhCVeKXfCiVW5j3CsItIGaXI1BTDZpi8MDJSq0=
X-Received: by 2002:a02:c619:: with SMTP id i25mr15369962jan.13.1613494848496; Tue, 16 Feb 2021 09:00:48 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsCOrS7Kz9WSKXRwwFiueaGZD1EGyuy98zi=9Qo5x3vTBw@mail.gmail.com> <81E638D5-378C-45A3-89D3-3FA0843A2CA2@nohats.ca>
In-Reply-To: <81E638D5-378C-45A3-89D3-3FA0843A2CA2@nohats.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 16 Feb 2021 12:00:37 -0500
Message-ID: <CAHbrMsDM6-Ma+X8eOKz-UvV8-EuoP663VJ2aD6r85eyjr6yy7Q@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dprive@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000082ab7e05bb770b0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/E2doJ-mE8JIVQ_UmoQeDCtqkkP0>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 17:01:33 -0000

On Tue, Feb 16, 2021 at 11:19 AM Paul Wouters <paul@nohats.ca> wrote:

> On Feb 16, 2021, at 10:23, Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org> wrote:
>
>
> I don't see why there would be a conflict between
> draft-ietf-dprive-opportunistic-adotq and any future authenticated
> encryption RFC that we produce, so I don't see the need to impose a drastic
> dividing line (e.g. different port numbers).
>
>
> I explained that in my previous message. Opportunistic normally is “do
> encryption, then you may omit authentication if that is too hard”.
> Opportunistic is not “try this technology and maybe in the future try this
> completely other technology”.
>

These are not different technologies; they're precisely different usage
profiles of the same standard (RFC 8310).


> Here's a counter-proposal:
> 1. Mark draft-ietf-dprive-opportunistic-adotq "experimental".  This is in
> line with previous work on opportunistic encryption, e.g. RFC 8164, and
> accurately reflects the draft's status as both speculative and (hopefully)
> transitional.
> 2. Replace Section 5 with the following language:
>
> There is currently no defined mechanism for authenticated ADoT, so
> resolvers MUST NOT authenticate the server except by private agreement with
> the server operator.
>
>
> That makes using a LetsEncrypt certificate violate the RFC’s MUST NOT.
>

Serving under such a certificate would not violate this requirement.


> The “big scary” part of using TLS is in the transport that is common for
> authenticated and unauthenticated TLS.
>

I think the scary part is that an authenticated TLS failure (due to
misconfiguration, bug, overload, or rollback) results in an outage.
draft-ietf-dprive-opportunistic-adotq never results in an outage; you just
fall back to cleartext and pay a small latency penalty.

v2.23.0 | Report a Bug | By Email