IETF Logo Mail Archive

Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

John R Levine <johnl@taugh.com> Wed, 10 June 2020 15:33 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F0B3A0861 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 08:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=FuPfAhvD; dkim=pass (1536-bit key) header.d=taugh.com header.b=gdynOEO9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqsBEi9lppav for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 08:33:37 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44F913A082A for <dns-privacy@ietf.org>; Wed, 10 Jun 2020 08:33:36 -0700 (PDT)
Received: (qmail 86381 invoked from network); 10 Jun 2020 15:33:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1516b.5ee0fd4f.k2006; i=johnl-iecc.com@submit.iecc.com; bh=0oHztL0I6hUYrg3C09APedQfeui813HyPktvwdMn6to=; b=FuPfAhvDQwqxuukN3Xbt7h5u5ozAkEUMAUUiCZK4mZL5LRcY2CNAlbPD0pZGDLGCH+yVZ1E1LVQNnk3rhbU+HNGSSPjSGPm8a2/U7vaJwwBVDSV3pXE+oSodYhA+idlg3pu850dys/hj0FIJJXrqMMyO5rqUVYs89+ctl9ris9OWCb7i0KKw/Q7UGeGpHSClgGHbshAk/QDMb3farQUAXmdFaZ+I6zaWKkKNMWc6byncrEuUIrYNyVOsJY0iJhSs
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1516b.5ee0fd4f.k2006; olt=johnl-iecc.com@submit.iecc.com; bh=0oHztL0I6hUYrg3C09APedQfeui813HyPktvwdMn6to=; b=gdynOEO96q5SKr83rf+1WryGQ3jQtyKumoBl0IlKGZPBATeNuOweDL8jItYF/Gmezfiq25qBqn3ANFlt+8ZOtmbxvsGCqN0d6AkOyrDhb1iit+wSVTRQeLf/hcxHmy4ul1w7fxfjZw+2wN2tDJCGNSbUrhGUHiVSspr6/idSO6KkFvWq7udXyMPnSyFkcxlsuZU+b00UTzWytjgdmQqd0nVo9AHQvnTfT9KIP1Y/v0jd2KqUJW1j4Hc8WUuyge4U
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 10 Jun 2020 15:33:35 -0000
Date: Wed, 10 Jun 2020 11:33:35 -0400
Message-ID: <alpine.OSX.2.22.407.2006101100300.62014@ary.qy>
From: John R Levine <johnl@taugh.com>
To: dns-privacy@ietf.org
In-Reply-To: <b10fb7a1-08f9-9cff-f29d-3a43eec6772f@huitema.net>
References: <CAHPuVdUoZVecj5Jfd6NxyJ-cRhTJTS1N8vcC5pC3uWQECLOCnQ@mail.gmail.com> <20200609183122.203851A5666F@ary.qy> <CAHPuVdVwxSG3pXNECy-2CUtR-bMG4DyQ5cYQPcnf9xNjzVGc4Q@mail.gmail.com> <b10fb7a1-08f9-9cff-f29d-3a43eec6772f@huitema.net>
User-Agent: Alpine 2.22 (OSX 407 2020-02-09)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UEbd8WlV3uAmpinzNzpPZAJCwko>
Subject: Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 15:33:39 -0000

>>     That sounds quite painful for servers that serve hundreds or
>>     thousands of zones.

I think this will work for NS with names in the zone.  Still scratching my 
head about NS in other zones.

On a referral, the parent server sends TLSA records as glue along with 
the NS and DS in the referral.  The client connects to the one of those NS 
and checks the cert with TLSA.  It then retrieves the signed NS and TLSA 
from the child to ensure that they match the unsigned ones from the 
parent.  To resist downgrades, if a client gets a referral without a TLSA 
but finds a TLSA in the child zone, it (wave hands a little) complains and 
reconnects using TLS.

I don't think that leaks anything beyond what you can tell from the fact 
that it's making connections to port 853. It doesn't leak what name is 
being referred.

The bad news is that authoritative servers have to be adjusted to send
TLSA as glue, and registry provisioning systems have to handle TLSA glue 
as well as A and AAAA.

For NS with names out of the zones, I guess the client looks for a TLSA 
when it looks for A and AAAA.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email