IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Revised opportunistic encryption draft

Eric Rescorla <ekr@rtfm.com> Fri, 30 October 2020 19:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58F7A3A1189 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Oct 2020 12:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6eqtLP0kK1O for <dns-privacy@ietfa.amsl.com>; Fri, 30 Oct 2020 12:33:11 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70C93A1186 for <dprive@ietf.org>; Fri, 30 Oct 2020 12:33:10 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id m16so8120758ljo.6 for <dprive@ietf.org>; Fri, 30 Oct 2020 12:33:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TKG6jB2mvyQ9QNk2B/ROgFe8IbHTE1aDSPNlhBFYw68=; b=ubopIN0X9qFmfp2odKWtTSS6esYLS0V5vDcqpVqQhb/LO1LaHp3g2mKRXpxotLPWP9 cCES5A1C2mSGevSigl9KwsoJ3t9R8rSRAK7KQ3iOgHVAg4jrynoQT9WqqmnkGWbJTHrd sXOeSYtEL4kx1hxfX+09S0M2B7JwjD+NHL39pqOisDS9RF6ZsFJXPRAqXFdI1MgXuMWE 265B+PQi90wmKFL41gN0Ge/n1xYk/kNwUVRHFxXWjTInyFExNpeJxK5BgQsh74RfdLzl niBOITlysVckRR0bfSo60uiIEe0sYbsllkvgUp1XDpd3vRgF8B2T9UCn0q+mdL954/xT 1xTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TKG6jB2mvyQ9QNk2B/ROgFe8IbHTE1aDSPNlhBFYw68=; b=tmUoZinr9A4RNN37v/EaKClhQL3m/ZDngIsPIJf5w/+TCHeosAqSdSu3igqx6Zqirt 3vlshUxYNMqBqZFkfC+i3+/3UXJzTKiXEyXWAQwJCv7BTNXOr66d3hoGo0w74DXkKeLt B/67WXCm7q808VYMMaiN5J2lrsku0NnMY61xC1Fb06h1tJ67eNAJA3rqT3nYi4DFCEBB HtWDWMhjCQsv7kcpvDEf2hAydvDXp3wQVUpRkmC9ciSJzQR9p9djNXmLFb32o7Cm1SzL m8e2ROHzZmDUtz8w/uXTRSvg+X5H1zYbTfhFOyRD92R0QIOZkg61ngm6fOUMTsxszBHR lr0A==
X-Gm-Message-State: AOAM532tIMYCbZghWk25sd5HzQPkqs69sqwTyFhxF66AxdnaEE6MtlTr d36arzItex5BL46+/7v1zxxaqat0Hdwf/Xnmm0n8Ng==
X-Google-Smtp-Source: ABdhPJyowRiCWqNnTNxcvMm+yWKW9RSmSLqwK4qlyKSFBtTF9HGKMWJs0nLMvzliypyzm0XPwOIVW7fQZrsUaYdNmVc=
X-Received: by 2002:a05:651c:510:: with SMTP id o16mr1704489ljp.409.1604086388702; Fri, 30 Oct 2020 12:33:08 -0700 (PDT)
MIME-Version: 1.0
References: <C0CBEBC5-D28A-46C0-AE50-078710015466@icann.org> <alpine.LRH.2.23.451.2010301202350.2587497@bofh.nohats.ca> <2444B21B-9465-4A5B-97CC-AF809309300A@icann.org>
In-Reply-To: <2444B21B-9465-4A5B-97CC-AF809309300A@icann.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 30 Oct 2020 12:32:32 -0700
Message-ID: <CABcZeBPZFY9aQ5Nb0q_4uTMFRbY3-S2rus4vaeLaUmvU+h_ftg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: Paul Wouters <paul@nohats.ca>, "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000063531f05b2e8770c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/RnS9Ivip6oFJLsslBl6cOEXqCac>
Subject: Re: [dns-privacy] [Ext] Revised opportunistic encryption draft
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 19:33:12 -0000

On Fri, Oct 30, 2020 at 10:03 AM Paul Hoffman <paul.hoffman@icann.org>
wrote:

> On Oct 30, 2020, at 9:11 AM, Paul Wouters <paul@nohats.ca> wrote:
> > I still believe the cost of authenticating a DNS(SEC) server is so low
> > these days (with ACME available at no cost and with full automation)
> > that this draft is better not done.
>
> The cost in terms of CPU cycles is indeed low. That is not the cost that
> is being considered when choosing opportunistic encryption. There is a real
> cost to the system if entire zones get server failures due to
> authentication mistakes made by the authoritative servers (not renewing
> certificates, errors in TLSA records, upstream validation problems that
> cause TLSA records not to validate, ...) or resolvers (dropping trust
> anchors that are in use, bad validation logic for TLSA, ...).
>

How is this different from the transition of the Web to HTTPS? Sure, there
can be misconfigurations of various kinds, but good operational practices
can minimize these, and in return you get strong security.

-Ekr

v2.23.0 | Report a Bug | By Email