Re: [dns-privacy] Intermediate proposal (what I was saying at the mic)
Ben Schwartz <bemasc@google.com> Tue, 03 August 2021 20:35 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92ED23A31E9 for <dns-privacy@ietfa.amsl.com>; Tue, 3 Aug 2021 13:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6c1hFmUSVEmi for <dns-privacy@ietfa.amsl.com>; Tue, 3 Aug 2021 13:35:02 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A96013A1A3B for <dns-privacy@ietf.org>; Tue, 3 Aug 2021 13:35:02 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id l11-20020a7bcf0b0000b0290253545c2997so167294wmg.4 for <dns-privacy@ietf.org>; Tue, 03 Aug 2021 13:35:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eJ0xQyN9mf+fPCrBBkKpVUwoSFjZ/1vTMzmNwIPLPZU=; b=dT8ABXjps3eBCbYlApxAnJX7ILXWijRl8wHNMQiMWiZjXzk4QPZ6LFnZRWhJRJq2MJ 7mWFT7DLYgPqfJAVv4EhYNe+LSBQ37ycCSzkpqvJOKnoIrK+Au4LeZVrSZZfN5AfBzeE rG9JGEhH8kIv1OfYfYaROS6SF/DBrP9bs+93r86XNXIsBfTrxBiAJr/TOXvS8e9Xd9vc tbrC1Q8huYFCZeqCc4m/Zfnn7rwzvt3eomeZ12Mszd2orKWPWPyfBtWl3ES8xmQ7DnP7 dlH7Mbxusw9Hnzg3hDZ4NZKC9kJXkhqtNt3ZxWR918Q4ko49EvCl3lGfuYNMUSmURcOH xIBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eJ0xQyN9mf+fPCrBBkKpVUwoSFjZ/1vTMzmNwIPLPZU=; b=ich8gXUq4ZesEAImSxbBTN6CZNcovE/pqsZ5czastiXEJggHOhChADimQ5brvcWmqe kFVi6DHYyQ+dUucnfl8+YCZXcmVKB0FizBjg136AiG4Kw2ROTxV6XnEfW3QZFi9xIOIz 0laztK6j/YXlKRMQ9nmYdr67QlO8zVkLh7PXxbugRYss9S5bKdRCzz0eosi+ZES7kz5V HsRcnW5OzVGr+TPyFA8ELpIEz9NEh2qbmMe4GcIauPdVD9dUyRgxxqsfLpxH/6IDA18B oZ1A3j+wGGKgMTCXudIqXkSRlRLQzH/JoWwoFuXk/squ/L07jeZAydthhOqg500jkdDD ARrw==
X-Gm-Message-State: AOAM531G72F1oHeGUiFPIf1wpUQXgWBgwBZq719vW7ZwJ/oCgjjhkTgN QAehHd+gJtryz5bAmhk6dVsOYtHBJL8D1o7wOSi2wMQTg5lNTA==
X-Google-Smtp-Source: ABdhPJx9+YywsDlFOmZ1ex1Wu1/IzqnQCc8J2lvkHrQZX5fFh7OnAJuvxj4RmkCk9mVU4j6vngo6zpGjEzfVw0abTAE=
X-Received: by 2002:a1c:5449:: with SMTP id p9mr6117508wmi.101.1628022900285; Tue, 03 Aug 2021 13:35:00 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com> <CABcZeBM+rBLgUs+xzyhTOjCFuPdjUDPDMeFL6CAXanDaicC+Pg@mail.gmail.com>
In-Reply-To: <CABcZeBM+rBLgUs+xzyhTOjCFuPdjUDPDMeFL6CAXanDaicC+Pg@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 03 Aug 2021 16:34:48 -0400
Message-ID: <CAHbrMsA3ROoeeDXm_HpXP73uFjVrEQUycQ0OR0e6JE0hCoS1sw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <mt@lowentropy.net>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000afe56805c8ad9e4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/TgRkouf51GA2484rvxMCzlBPomg>
Subject: Re: [dns-privacy] Intermediate proposal (what I was saying at the mic)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 20:35:08 -0000
In my view, 1. We should provide guidance on how to do unauthenticated DoT/Q using default-port probing, like we used to have in https://datatracker.ietf.org/doc/html/draft-ietf-dprive-opportunistic-adotq-00 . 2. Publishing a SVCB record should indicate support for authenticated encryption. Nameservers that don't support authenticated encryption can offer opportunistic encryption based on default-port probing. 3. We should allow nameservers to indicate support for authentication via common PKI, DANE, or both. 4. SVCB and TLSA records are a firm promise, but resolver behavior is always up to the operator. They can choose whether to "fail closed", skip authentication, fall back to UDP, etc. On Mon, Aug 2, 2021 at 9:11 AM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Sun, Aug 1, 2021 at 9:22 PM Martin Thomson <mt@lowentropy.net> wrote: > >> On Fri, Jul 30, 2021, at 06:08, Eric Rescorla wrote: >> > - Recursives can attempt to connect to any authoritative by probing >> > with DoT/DoQ [0]. In this case, they should cleanly fall back to >> > Do53 on connect failure and not validate the credential (whether >> > WebPKI or DANE) This allows authoritatives to just turn on TLS >> > without risk. >> >> I assume that your MUST NOT validate here only exists because of the >> combination of: >> >> 1. Us not being able to decide between Web PKI and DANE; and >> > > Largely, though it also allows for incremental rollout and a new auth > mechanism. > > 2. The potential for an unauthenticated mode. >> >> If we decided on a single answer for the first and in the negative for >> the second, would that make authentication viable? Or is the opportunism a >> feature? >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Intermediate proposal (what I was s… Eric Rescorla
- Re: [dns-privacy] Intermediate proposal (what I w… Paul Wouters
- Re: [dns-privacy] Intermediate proposal (what I w… Eric Rescorla
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Paul Hoffman
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Robert Evans
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Paul Hoffman
- Re: [dns-privacy] Intermediate proposal (what I w… Martin Thomson
- Re: [dns-privacy] Intermediate proposal (what I w… Christian Huitema
- Re: [dns-privacy] Intermediate proposal (what I w… Eric Rescorla
- [dns-privacy] ADoX experiments (was: Re: Intermed… Stephen Farrell
- Re: [dns-privacy] Intermediate proposal (what I w… Ben Schwartz
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Paul Hoffman
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Ben Schwartz
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Paul Hoffman
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Ben Schwartz
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… libor.peltan
- Re: [dns-privacy] [Ext] Intermediate proposal (wh… Brian Dickson
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Brian Haberman
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Stephen Farrell
- [dns-privacy] scope of authoritative signalling [… Daniel Kahn Gillmor
- Re: [dns-privacy] scope of authoritative signalli… Brian Dickson
- Re: [dns-privacy] scope of authoritative signalli… Peter van Dijk
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Brian Haberman
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Bill Woodcock
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Bill Woodcock
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Christian Huitema
- Re: [dns-privacy] ADoX experiments (was: Re: Inte… Bill Woodcock