[dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative

Paul Hoffman <paul.hoffman@icann.org> Thu, 06 August 2020 14:59 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A2B3A080E for <dns-privacy@ietfa.amsl.com>; Thu, 6 Aug 2020 07:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnnC3FOiguDa for <dns-privacy@ietfa.amsl.com>; Thu, 6 Aug 2020 07:59:27 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D9833A0826 for <dprive@ietf.org>; Thu, 6 Aug 2020 07:59:25 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa2.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 076ExOxG018275 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dprive@ietf.org>; Thu, 6 Aug 2020 14:59:25 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.595.3; Thu, 6 Aug 2020 07:59:23 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0595.003; Thu, 6 Aug 2020 07:59:23 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: Possible use case: Opportunistic encryption for recursive to authoritative
Thread-Index: AQHWbAIrCADEuHAHPU2qpf4kMcK1pw==
Date: Thu, 6 Aug 2020 14:59:23 +0000
Message-ID: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_F32A518D-3967-4011-9793-81E4CA5B8FBD"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-06_12:2020-08-06, 2020-08-06 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/HbGPADuiWgX2HbRWUsOxXnHadd4>
Subject: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 14:59:29 -0000

Greetings again. The following is a short text-based version of my slides from last week's WG meeting. I'd like to find out if this is one of the use cases that the WG would be interested in dealing with.

Use case: Opportunistic encryption for recursive to authoritative

In this use case, a resolver operator says “I’m happy to use encryption with the authoritative servers if it doesn’t slow down getting answers by much”, and an authoritative server says “I’m happy to use encryption with the recursive resolvers if it doesn’t cost me much”.

Opportunistic encryption is defined in RFC 7535. From the abstract: "Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet."

The assumptions behind the use case are:
• More encryption is good for the Internet
• Resolver vendors are smart and motivated
• Most resolvers don’t validate with DNSSEC and may never want to
• Authoritative operators don’t care much about encryption, but some would turn it on because more encryption is good for the Internet
• Other use cases for authentication stronger than opportunistic may appear and would co-exist with this one

The other slides had thoughts about possible solutions that implement this use case, but before we go there, I wanted to find out if more than a handful of people here are interested in this use case. If so, I could turn the above into a draft with some possible solutions for us to bang on.

--Paul Hoffman