Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)

Paul Wouters <paul@nohats.ca> Thu, 21 September 2023 01:47 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA64C137381; Wed, 20 Sep 2023 18:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.404
X-Spam-Level:
X-Spam-Status: No, score=-4.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2RX2AQBHh5aX; Wed, 20 Sep 2023 18:47:41 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4547C131933; Wed, 20 Sep 2023 18:47:40 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4RrdZM1McXz21V; Thu, 21 Sep 2023 03:47:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1695260859; bh=oRans1aawdnU4Bv2MuQ4RWgsjnwRpp7AHxZab6WRnqY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ls3Iig6c760HxEEa5AldHZMYA54o1ASZPN7zI44IoX7gtIkVusbmEQRbkx19yoKLG +SQsecA7FJOdEwVPste44+j/WE34V0StqeGXV6PlyfzdcOeLBJ8dUn7cn+YnA/r252 A3knUVy6ReawxkohR1FHfmuCO+bk1DDIZNaOpfNY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 8iEWsU043_Qg; Thu, 21 Sep 2023 03:47:37 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 21 Sep 2023 03:47:37 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5108D1069722; Wed, 20 Sep 2023 21:47:36 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4E05A1069721; Wed, 20 Sep 2023 21:47:36 -0400 (EDT)
Date: Wed, 20 Sep 2023 21:47:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-dprive-unilateral-probing@ietf.org" <draft-ietf-dprive-unilateral-probing@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "brian@innovationslab.net" <brian@innovationslab.net>, Tim Wicinski <tjw.ietf@gmail.com>
In-Reply-To: <DAB97721-531B-4373-A2E8-869066EC2107@icann.org>
Message-ID: <5f2b4e03-e856-ed20-2953-cf8305b2ea8e@nohats.ca>
References: <169515596369.29731.2162345695284193885@ietfa.amsl.com> <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org> <6f68e771-fd77-3019-6f8b-ea477acb7b78@nohats.ca> <DAB97721-531B-4373-A2E8-869066EC2107@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/TtPm4ryDMK6r1_Fpgs8CHxfBLrc>
Subject: Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2023 01:47:45 -0000

On Wed, 20 Sep 2023, Paul Hoffman wrote:

>> That might not be the case. As with "null encryption", these modes are
>> more and more being removed from code bases to avoid exploits.
>
> At that point, you couldn't use the library any more, correct?

At that point, you would not have a library anymore that you can use, as
all libraries will do some basic verification checks regardless. And
mainstream DNS server software vendors are not going to write their
own crypto code to work around that.

>> I also do find the value of using selfsigned certs over ACME certs
>> on the auth server pretty low. It's pretty easy to give a nameserver
>> with a static name an automatic ACME based certificate. With the
>> "opportunistic" part being that if the cert fails, to go back to do53.
>
> Is there widespread availability for "ACME certs" for authoritative DNS name servers that have no web server component reasonably available now? When I looked a few years ago, they weren't at all.

The DNS challange method yes. I think it is as old as the web method.
Which is why I've kept saying it should be very very easy for a DNS
server to put in a record and run ACME. I personally use dehydrated,
see https://github.com/dehydrated-io/dehydrated/wiki#dns-providers

Paul