IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Authentication in draft-ietf-dprive-opportunistic-adotq

Paul Hoffman <paul.hoffman@icann.org> Tue, 16 February 2021 15:41 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEAA13A0060; Tue, 16 Feb 2021 07:41:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjA6FiiDRcHK; Tue, 16 Feb 2021 07:41:12 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77DD43A003F; Tue, 16 Feb 2021 07:41:12 -0800 (PST)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 11GFf9dR017227 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Feb 2021 15:41:09 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Tue, 16 Feb 2021 07:41:08 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.006; Tue, 16 Feb 2021 07:41:08 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
CC: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: [Ext] [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
Thread-Index: AQHXBHokbkv4RIbOK0y6q/7Dl2YNXQ==
Date: Tue, 16 Feb 2021 15:41:07 +0000
Message-ID: <9B911C9E-B93E-437C-B928-B77166669444@icann.org>
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CAHbrMsCOrS7Kz9WSKXRwwFiueaGZD1EGyuy98zi=9Qo5x3vTBw@mail.gmail.com>
In-Reply-To: <CAHbrMsCOrS7Kz9WSKXRwwFiueaGZD1EGyuy98zi=9Qo5x3vTBw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_0AA83C2B-ADF3-4819-BE1A-1A86AEB238F9"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-16_04:2021-02-16, 2021-02-16 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LMAOjcd0q7VSmbZQiSdievXoznA>
Subject: Re: [dns-privacy] [Ext] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 15:41:14 -0000

On Feb 16, 2021, at 7:23 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> I don't see why there would be a conflict between draft-ietf-dprive-opportunistic-adotq and any future authenticated encryption RFC that we produce, so I don't see the need to impose a drastic dividing line (e.g. different port numbers).
> 
> Here's a counter-proposal:
> 1. Mark draft-ietf-dprive-opportunistic-adotq "experimental".  This is in line with previous work on opportunistic encryption, e.g. RFC 8164, and accurately reflects the draft's status as both speculative and (hopefully) transitional.
> 2. Replace Section 5 with the following language:
> 
> There is currently no defined mechanism for authenticated ADoT, so resolvers MUST NOT authenticate the server except by private agreement with the server operator.  Server operators SHOULD use self-signed certificates to avoid implying an authentication mechanism that might conflict with a future ADoT authentication standard.

That seems fine. (Well, "self-issued" is the proper term, and we'd have to elaborate a bit on how to do that, but yes). This also works well with PaulW's prooposed sentinel.

> As I've said before, I _do_ think this draft is valuable and presents a worthwhile public experiment that will pave the way for authenticated ADoT.  For DNS services that are used to DNS over UDP, running DNS over TLS is a big, scary project.  This draft can provide a way to get some practice with that in a low-risk setting, where TLS-related failures are not significantly user-visible.  Once operators are comfortable with DNS over TLS, I think it will be a lot easier to start rolling out some real authentication.

Indeed.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email