IETF Logo Mail Archive

Re: [dns-privacy] ADoX experiments (was: Re: Intermediate proposal (what I was saying at the mic))

Bill Woodcock <woody@pch.net> Tue, 31 August 2021 15:36 UTC

Return-Path: <woody@pch.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59D873A1928 for <dns-privacy@ietfa.amsl.com>; Tue, 31 Aug 2021 08:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tItlpEDSZjE for <dns-privacy@ietfa.amsl.com>; Tue, 31 Aug 2021 08:36:10 -0700 (PDT)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00B763A192B for <dns-privacy@ietf.org>; Tue, 31 Aug 2021 08:36:09 -0700 (PDT)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([69.166.14.2]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)) for dns-privacy@ietf.org; Tue, 31 Aug 2021 08:36:08 -0700
From: Bill Woodcock <woody@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_6985995A-4E3D-41DC-99C5-26B199917776"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 31 Aug 2021 17:36:05 +0200
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com> <9f184e77-056a-3a49-8832-249d36bbab82@cs.tcd.ie> <4cdc1d2f-47cb-9c23-f049-cf1ebf6717a5@innovationslab.net> <1a6d0690-3d03-b265-ac8d-ad5017e2aedf@innovationslab.net> <AD432442-796F-408C-89ED-CE0396B2B078@pch.net>
To: dns-privacy@ietf.org
In-Reply-To: <AD432442-796F-408C-89ED-CE0396B2B078@pch.net>
Message-Id: <4237A4A2-4DF9-4746-B921-53973212834F@pch.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Tyy-op10ezeQWfpoF5dLTpK8Ago>
Subject: Re: [dns-privacy] ADoX experiments (was: Re: Intermediate proposal (what I was saying at the mic))
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2021 15:36:16 -0000


> On Aug 31, 2021, at 2:23 PM, Bill Woodcock <woody@pch.net> wrote:
> 
> On 8/17/21 8:16 AM, Brian Haberman wrote:
>> I believe we need the following:
>> 
>> 3. At least one authoritative server operator willing to deploy the
>> experimental implementation,
>> 
>> 4. At least one recursive resolver operator willing to deploy the
>> experimental implementation,
>> 
>> Are there any volunteers to start working on details of such an experiment?
> 
> I had, at the outset, said that PCH and Quad9 would be immediately implementing any ADoX that makes it as far as running code, and in case that didn’t make it into your notes, I’ll reiterate it now.  As I’ve said before, we STRONGLY PREFER implementations which include TLS client authentication.

I got a couple of questions about that last sentence, so, more words for the sake of clarity:

From the point of view of an authoritative operator, we would very much like to be able to authenticate the client recursive resolvers using DANE TLS client certs, so as to be able to offer them prioritized service during DDoS attacks, without having to track their multiplicity of changing IP addresses.  i.e. we don’t want to have to track every last source IP address used by the upstream sides of every last Quad9, Cisco, Google, etc. recursive resolver, and we can trust them not to share their TLS client cert with DDoS attackers.

From the point of view of a recursive operator, we would like to be able to authenticate the authoritative server using DANE TLS certs in order to be assure ourselves that we’re not being MITM’d, but we’d also like to be able to authenticate ourselves to the authoritative so that we can receive protected service while the authoritative is under attack.

Right now all this is done with statically-coded IP addresses, which is quickly becoming an insane headache.

                                -Bill

v2.23.0 | Report a Bug | By Email