Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features

Paul Wouters <paul@nohats.ca> Wed, 26 May 2021 20:12 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FB773A1308 for <dns-privacy@ietfa.amsl.com>; Wed, 26 May 2021 13:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OEZjqVw9CdG for <dns-privacy@ietfa.amsl.com>; Wed, 26 May 2021 13:12:13 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770D63A130F for <dns-privacy@ietf.org>; Wed, 26 May 2021 13:12:13 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Fr2DB17sDzlP; Wed, 26 May 2021 22:12:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1622059930; bh=DMNXMItujOVA9LjjU/VAuBQSeacpu1bNEXkZ9XkR1Og=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=i2lQoWSYo8gCjomD5T9NY3sDCpyo/VUg6M8Teq5THbCnr8lbtvp56HUlIzY9B5jIZ ouEm/bk8/Wr/1ruRxk02S2L+q1ptd4NkwOIu686lia3PAIbZ2o4qAUbK5G4wHkdV7T ARyQ/aVaqs3018jq/XboMDRc+M4ORNg9Dsp+oXiQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id lMn31xCOHXlC; Wed, 26 May 2021 22:12:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 26 May 2021 22:12:08 +0200 (CEST)
Received: from smtpclient.apple (unknown [193.110.157.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 583815FC6D; Wed, 26 May 2021 16:12:07 -0400 (EDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-7F47D00E-8FE9-4D25-9275-4AE1E7009E8C
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 26 May 2021 16:12:05 -0400
Message-Id: <8C16577A-9A2A-465F-AD49-ED6B3EB0ED0E@nohats.ca>
References: <CABcZeBP5vCNJ3cPrwmAxo_YMkHMAQkw6RtN4Pt+ueo5wCXTyGA@mail.gmail.com>
Cc: =?utf-8?Q?Vladim=C3=ADr_=C4=8Cun=C3=A1t?= <vladimir.cunat+ietf@nic.cz>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CABcZeBP5vCNJ3cPrwmAxo_YMkHMAQkw6RtN4Pt+ueo5wCXTyGA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: iPhone Mail (18E212)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/NTCOsqhocH1THN5_2ycu2wQbDp8>
Subject: Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 20:12:19 -0000

On May 26, 2021, at 15:50, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
>> The SVCB glue is just a slight optimization.  I don't think it can even save latency, just a packet per NS (and only in cases where the SVCB exists).
>> 
> As noted in my presentation, it's more than an optimization. It's an important security function in cases where the sensitive domain name is the apex.

Can you clarify what you mean? Isn’t the APEX of the domain name the domain name?

I suspect you mean to say if the NS record is in bailiwick of the domain, eg ns0.nohats.ca serving the domain nohats.ca. 

If so, then the IP address and glue is also available in the parent zone and connecting encrypted to 193.110.157.102 is trivial to track down as talking to ns0.nohats.ca. How long does it take to run “dig ns $name.ca @a.ca-servers.ca” for all domain names you find ending in .ca ?

If not, then i would like to understand better what you are trying to protect.

Paul