IETF Logo Mail Archive

Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 15 February 2021 23:15 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8583A12D1 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSC1nUDSYZxL for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:15:27 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0F4B3A12D0 for <dprive@ietf.org>; Mon, 15 Feb 2021 15:15:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id BC86EBE5D; Mon, 15 Feb 2021 23:15:24 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9oqNXiF71bD; Mon, 15 Feb 2021 23:15:23 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1156FBE5C; Mon, 15 Feb 2021 23:15:23 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1613430923; bh=zqxv1Ejw/YNg1dhvxiRJ2fB4VdQl7q7EDDmOeg5BNdo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=zKJiNmPMzzAunvCT5EmbZ4SLoLuGlN0S9Lg7pA+uqjBsODp0V/MBM47rxjoz01hcD GrD9M4OG4mzhFxlyLrTwr5xhGCQVbWf7A1T7ecGNGvKOZvi8HbnZBvc42dqa+cB4Ew 8BCxnsRkoG2lJ075wm+JwLEvTO/nYMOlV2T3/Lsw=
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "dprive@ietf.org" <dprive@ietf.org>
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie> <CABcZeBOX1g6EMcNuBvjfTehh6TeOA1BaoLf6Ofrev_foVKEZBA@mail.gmail.com> <209af62e-f8b8-9a6f-fb45-f3e143172207@cs.tcd.ie> <CABcZeBNJFsp9eUo7RNbOZbD6=7fQg+90pOooucO5gQBiS1Z2fw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <ffad7d7c-2c6a-cbdc-91cb-84347d87c0c4@cs.tcd.ie>
Date: Mon, 15 Feb 2021 23:15:22 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBNJFsp9eUo7RNbOZbD6=7fQg+90pOooucO5gQBiS1Z2fw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="q2pcZyabce5o6ILD9DzhtwfNUGN2yQwdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/PYrAT6KRFm4-oQ4ww_fotJ4Tuao>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 23:15:29 -0000


On 15/02/2021 23:05, Eric Rescorla wrote:
> Sure, I can believe that. I'm not any kind of DNS expert, but it's hard to
> believe we can't invent*some*  signal that you use to ask whoever served
> you the NS records.

Yep. I think someone had a presentation a while back about
how all the approaches considered so far were dead ends or
impractical and why.

So it may be that a new RRTYPE is needed, in which case, I
gotta ask why that has a better chance than DNSSEC+DANE, as
those seem similarly challenging to me.

Of course, if there were something that strongly motivated
DNS actors (registrars, TLDs, server operators) that'd be
different but I don't think I've heard of anything that's
attractive like that and that meets this requirement. (So
there's no equivalent of the HTTPS RRTYPE here that's been
suggested so far and that appeals to almost all actors.)

Cheers,
S.

v2.23.0 | Report a Bug | By Email