Re: [dns-privacy] Some additional signalling ideas
"Peter van Dijk" <peter.van.dijk@powerdns.com> Fri, 05 April 2019 08:50 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2C31201BE for <dns-privacy@ietfa.amsl.com>; Fri, 5 Apr 2019 01:50:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gDtglp-8CMe for <dns-privacy@ietfa.amsl.com>; Fri, 5 Apr 2019 01:50:40 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FF6120391 for <dns-privacy@ietf.org>; Fri, 5 Apr 2019 01:50:39 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 1FC876A28A; Fri, 5 Apr 2019 10:50:37 +0200 (CEST)
Received: from [10.242.2.65] (unknown [10.242.2.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id DA1483C0066; Fri, 5 Apr 2019 10:50:36 +0200 (CEST)
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Fri, 05 Apr 2019 10:50:35 +0200
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <F7308B81-4FC5-4691-9AB2-5ECB00983258@powerdns.com>
In-Reply-To: <20190331142202.GA2307@LK-Perkele-VII>
References: <CACsn0ck-SNweieak5Fn7TOLLZTvsQNo6+w3nezxKuZPq0Z4QNA@mail.gmail.com> <20190331142202.GA2307@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"; markup="markdown"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/HiqLSzeWRgwseOh6JiNBkScSq_o>
Subject: Re: [dns-privacy] Some additional signalling ideas
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 08:50:42 -0000
On 31 Mar 2019, at 16:22, Ilari Liusvaara wrote: > DS is signed, and has algorithm field. Supposedly unknown algorithms > are ignored, but there are buggy nameservers out there that break if > all DS entries have unknown algorithm. And turns out abusing DS > records also runs into issues with "cloud" DNS provoders. Do you know of any name servers out there that have a problem with it, other than Knot Resolver, 1.1.1.1 and 8.8.8.8? (who all should be fixed soonish) > Adding another RRtype with needed magic properties would take > Standards > Action (as expert review requires RRtype not to be magic) and then > updating parent nameservers to be able to deal with the RRtype (since > it can not be generically handled). And trying to add extra fields to > NS or DS is sure to cause horrible borkage. I think adding fields might be even more painful than adding a new type. Neither seem feasible options to me. > Adding records at child side of cut has its own issues, namely that > retroactive authentication can be annoying to implement, and it is > more difficult to make the thing work without full DNSSEC chain > (glue records, if parent supports that?). manu’s proposal explicitly targeted unsigned delegations, which I also think is an important use case. Glue records are never signed. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [dns-privacy] Some additional signalling ideas Watson Ladd
- Re: [dns-privacy] Some additional signalling ideas Ralf Weber
- Re: [dns-privacy] Some additional signalling ideas Ilari Liusvaara
- Re: [dns-privacy] Some additional signalling ideas Watson Ladd
- Re: [dns-privacy] Some additional signalling ideas Paul Wouters
- Re: [dns-privacy] Some additional signalling ideas Alexander Mayrhofer
- Re: [dns-privacy] Some additional signalling ideas Stephen Farrell
- Re: [dns-privacy] Some additional signalling ideas Alexander Mayrhofer
- Re: [dns-privacy] Some additional signalling ideas Tony Finch
- Re: [dns-privacy] Some additional signalling ideas Peter van Dijk
- Re: [dns-privacy] Some additional signalling ideas Ilari Liusvaara
- Re: [dns-privacy] Some additional signalling ideas Ralf Weber