Re: [dns-privacy] how can we ADoT? (with github url)
Tony Finch <dot@dotat.at> Wed, 11 November 2020 21:20 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E9C3A1119 for <dns-privacy@ietfa.amsl.com>; Wed, 11 Nov 2020 13:20:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AdxlUhlg86nN for <dns-privacy@ietfa.amsl.com>; Wed, 11 Nov 2020 13:20:34 -0800 (PST)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DCB13A1121 for <dns-privacy@ietf.org>; Wed, 11 Nov 2020 13:20:34 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:46778) by ppsw-41.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kcxXc-000vqV-Rl (Exim 4.92.3) (return-path <dot@dotat.at>); Wed, 11 Nov 2020 21:20:32 +0000
Date: Wed, 11 Nov 2020 21:20:32 +0000
From: Tony Finch <dot@dotat.at>
To: Manu Bretelle <chantr4@gmail.com>
cc: DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAArYzrK26rGAxtJVT=-+QY0Ub4bp8eQXoNxuWPwt=9dv9_+h1w@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2011112106040.17166@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk> <CAArYzrK26rGAxtJVT=-+QY0Ub4bp8eQXoNxuWPwt=9dv9_+h1w@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UYqwt-ldb0smNDn8mYLmGugBF34>
Subject: Re: [dns-privacy] how can we ADoT? (with github url)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 21:20:36 -0000
Manu Bretelle <chantr4@gmail.com> wrote: > Having this as an ID or possibly a github repo may make it easier to refer > to/iterate than just this email. Yes! https://github.com/fanf2/draft-dprive-adot > I had attempted to quickly categorize some of those approaches (albeit a > much smaller list) in a matrix in [0] but did not follow through since. > > [0] https://datatracker.ietf.org/meeting/104/materials/slides-104-dprive-dot-for-insecure-delegations-01 Ah, I haven't been paying enough attention to meetings so I missed this! I think I need the speaker notes to understand it properly :-) Your title "DoT for insecure delegations" is interesting: one of the problems with what I have written so far is that it is too much a post-hoc justification for using TLSA records to support ADoT. So I have built nameserver authentication on top of TLSA on top of DNSSEC. One of my unstated assumptions is that DoT will be problematic for TLDs, and (with QNAME minimization) it matters more for leaf zones, so it is likely to be deployed there first. But DNSSEC is deployed to a much higher proportion of TLDs than leaf zones, so there's a good chance I'm wrong. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Shetland Isles: Southerly 6 to gale 8, decreasing 4 or 5 later in west. Rough or very rough. Rain or drizzle. Moderate or poor, becoming good later in west.
- [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Eric Rescorla
- Re: [dns-privacy] how can we ADoT? Hollenbeck, Scott
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Manu Bretelle
- Re: [dns-privacy] how can we ADoT? Brian Dickson
- Re: [dns-privacy] how can we ADoT? Stephen Farrell
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk