Re: [dns-privacy] [Ext] Threat Model
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 04 November 2019 21:36 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392FB12008C for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:36:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64bFHA-_0k3c for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:36:45 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22F1512002E for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 13:36:45 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id o9so3711285uat.8 for <dns-privacy@ietf.org>; Mon, 04 Nov 2019 13:36:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qJOg0yOJOJnCxlZabClzC7jTBl+AR7wdcsBAhUZfb0s=; b=av/SmX3NhhBnxpZmTsciWpTsmnes3JHl8xfMhrRsSdS3VeeWOkNTcBOZLehNvfABJk PItvasuw+cBwTr7asHwQwCzHeC47DB3VVfLrJcpjCEBKdZAXKmfsSAJRbT30830ilo9R 2tHdlhkyTEXhJbFZq5Q4Fv0vsH+Uaja1eRQROoii5pX91o+JiQZKXWcIws9GKtMR26Kx 0UsHEvLo33pXfJ6lfh1CS9GIllhs6+/hiTc2K+b/bq7BQENnFojlZg3vZP79zeGQEBxe V3DV969WcX+w0aCWW62b4Y+0g/WYPkM3VIPQcrDZ0TxR8GA0MaKqG4ivFA8dvjLeGmZI bpzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qJOg0yOJOJnCxlZabClzC7jTBl+AR7wdcsBAhUZfb0s=; b=c+q+lJhaBq/0tVBTYILc7m1OcVuE/IHfLfK8CaJwGJR6gKBfBFlXjA/kicLwTEm3at iR6FcXWef6UbSUSOjLO+lP60/fl03pW8OxkdExPc+ZXieXSTkU/1Vu0VuKydQhiUpz/v gtHQvjD3pJwYOfgtEbu6WyXwZgONawoqIC1GNReB4v5s86N2tyDT2K/NvKYeUfiJFXhe 5vyjhZae83VrjSao5llELmA1QvSlB84QYhbuJAnFWFkgv2YsK8TUEpiKrguAJPX8/TwS e+Z4M4FC+u5tL+1Cz2Nscmtd2B1lXUWW6wlkZp40uUfPr3OHF0ph7L4J175NP6br8kHY uLKA==
X-Gm-Message-State: APjAAAWQHiFEVDpTKCmLOPS8uOYZESqT7hPdMGVyGb8ctHPnKIt72VDS GU6nqMxmY8H2pMuuS0NlBk26AN+JjVtA7bSVs58=
X-Google-Smtp-Source: APXvYqyTHpoS1uDQCPuCMO09L9RC1ypxHTcQ1/IrZ+M4enlqlJs/if2eRnM04szAHz09OjLN/Wa+8R7x74NRtjBi9Oc=
X-Received: by 2002:ab0:5ea9:: with SMTP id y41mr12473200uag.114.1572903403900; Mon, 04 Nov 2019 13:36:43 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 04 Nov 2019 13:36:32 -0800
Message-ID: <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, Warren Kumari <warren@kumari.net>, Eric Rescorla <ekr@rtfm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000a7d34f05968c1c6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/K_CNoHNZc4yRC1Wg1w79kOA-DOI>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 21:36:47 -0000
On Mon, Nov 4, 2019 at 12:37 PM Tony Finch <dot@dotat.at> wrote: > Paul Wouters <paul@nohats.ca> wrote: > > > > The right way to do this is a DNSKEY flag, which is protected by the > > signed DS at the parent. Similar to draft-powerbind for the > > delegation-only domain. > > That's per-zone, though, whereas DoT support is per-server. > Well, it kind of depends, i.e. yes and no. E.g. a DNS hosting provider might (or might not) apply the DoT support to all the zones hosted on a given server, which has the effect of being per-server, while still being implemented at a per-zone level. Per-zone also is much friendlier to multi-provider (primary/secondary), in those cases, i.e. prevents targeted downgrades on such zones (presuming the secondary actually serves on the DoT port). The names of the servers (and certificate management) would be orthogonal to the signaling of DoT support. I would expect the TLSA records would be per-server and orthogonal to the per-zone signaling of DoT support. (The analogy would be routing registries and routing announcements. You have to have the registration done first before the announcement, but the registration and the announcement are distinct elements. Similar also to DS and DNSKEY records.) Brian > > DS records that somehow encode NS target names in their rdata might > work... > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > partnership and community in all areas of life > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Threat Model Eric Rescorla
- Re: [dns-privacy] Threat Model Christian Huitema
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] Threat Model Ted Hardie
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John Levine
- Re: [dns-privacy] what's good enough, or Threat M… Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John R Levine
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model David Conrad
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] Threat Model Livingood, Jason
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Dan Wing
- Re: [dns-privacy] [Ext] Threat Model Mark Andrews
- Re: [dns-privacy] [Ext] Threat Model Ralf Weber
- Re: [dns-privacy] [Ext] Threat Model Hugo Connery
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Ted Hardie
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Ebersman
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model sthaug