IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 04 November 2019 21:36 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392FB12008C for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:36:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64bFHA-_0k3c for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:36:45 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22F1512002E for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 13:36:45 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id o9so3711285uat.8 for <dns-privacy@ietf.org>; Mon, 04 Nov 2019 13:36:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qJOg0yOJOJnCxlZabClzC7jTBl+AR7wdcsBAhUZfb0s=; b=av/SmX3NhhBnxpZmTsciWpTsmnes3JHl8xfMhrRsSdS3VeeWOkNTcBOZLehNvfABJk PItvasuw+cBwTr7asHwQwCzHeC47DB3VVfLrJcpjCEBKdZAXKmfsSAJRbT30830ilo9R 2tHdlhkyTEXhJbFZq5Q4Fv0vsH+Uaja1eRQROoii5pX91o+JiQZKXWcIws9GKtMR26Kx 0UsHEvLo33pXfJ6lfh1CS9GIllhs6+/hiTc2K+b/bq7BQENnFojlZg3vZP79zeGQEBxe V3DV969WcX+w0aCWW62b4Y+0g/WYPkM3VIPQcrDZ0TxR8GA0MaKqG4ivFA8dvjLeGmZI bpzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qJOg0yOJOJnCxlZabClzC7jTBl+AR7wdcsBAhUZfb0s=; b=c+q+lJhaBq/0tVBTYILc7m1OcVuE/IHfLfK8CaJwGJR6gKBfBFlXjA/kicLwTEm3at iR6FcXWef6UbSUSOjLO+lP60/fl03pW8OxkdExPc+ZXieXSTkU/1Vu0VuKydQhiUpz/v gtHQvjD3pJwYOfgtEbu6WyXwZgONawoqIC1GNReB4v5s86N2tyDT2K/NvKYeUfiJFXhe 5vyjhZae83VrjSao5llELmA1QvSlB84QYhbuJAnFWFkgv2YsK8TUEpiKrguAJPX8/TwS e+Z4M4FC+u5tL+1Cz2Nscmtd2B1lXUWW6wlkZp40uUfPr3OHF0ph7L4J175NP6br8kHY uLKA==
X-Gm-Message-State: APjAAAWQHiFEVDpTKCmLOPS8uOYZESqT7hPdMGVyGb8ctHPnKIt72VDS GU6nqMxmY8H2pMuuS0NlBk26AN+JjVtA7bSVs58=
X-Google-Smtp-Source: APXvYqyTHpoS1uDQCPuCMO09L9RC1ypxHTcQ1/IrZ+M4enlqlJs/if2eRnM04szAHz09OjLN/Wa+8R7x74NRtjBi9Oc=
X-Received: by 2002:ab0:5ea9:: with SMTP id y41mr12473200uag.114.1572903403900; Mon, 04 Nov 2019 13:36:43 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 04 Nov 2019 13:36:32 -0800
Message-ID: <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, Warren Kumari <warren@kumari.net>, Eric Rescorla <ekr@rtfm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000a7d34f05968c1c6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/K_CNoHNZc4yRC1Wg1w79kOA-DOI>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 21:36:47 -0000

On Mon, Nov 4, 2019 at 12:37 PM Tony Finch <dot@dotat.at> wrote:

> Paul Wouters <paul@nohats.ca> wrote:
> >
> > The right way to do this is a DNSKEY flag, which is protected by the
> > signed DS at the parent. Similar to draft-powerbind for the
> > delegation-only domain.
>
> That's per-zone, though, whereas DoT support is per-server.
>

Well, it kind of depends, i.e. yes and no.

E.g. a DNS hosting provider might (or might not) apply the DoT support to
all the zones hosted on a given server, which has the effect of being
per-server, while still being implemented at a per-zone level.

Per-zone also is much friendlier to multi-provider (primary/secondary), in
those cases, i.e. prevents targeted downgrades on such zones (presuming the
secondary actually serves on the DoT port).

The names of the servers (and certificate management) would be orthogonal
to the signaling of DoT support. I would expect the TLSA records would be
per-server and orthogonal to the per-zone signaling of DoT support.

(The analogy would be routing registries and routing announcements. You
have to have the registration done first before the announcement, but the
registration and the announcement are distinct elements. Similar also to DS
and DNSKEY records.)

Brian


>
> DS records that somehow encode NS target names in their rdata might
> work...
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> partnership and community in all areas of life
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email