Re: [dns-privacy] how can we ADoT?
Peter van Dijk <peter.van.dijk@powerdns.com> Sun, 15 November 2020 18:33 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAA683A0808 for <dns-privacy@ietfa.amsl.com>; Sun, 15 Nov 2020 10:33:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctCZACR3xKeD for <dns-privacy@ietfa.amsl.com>; Sun, 15 Nov 2020 10:33:37 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD82E3A0822 for <dns-privacy@ietf.org>; Sun, 15 Nov 2020 10:33:37 -0800 (PST)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id 43B7D6A275; Sun, 15 Nov 2020 19:33:36 +0100 (CET)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 1518A3C0045; Sun, 15 Nov 2020 19:33:36 +0100 (CET)
Message-ID: <68a48d20bc23da7e30b50639b74fe2ed48ddf6f6.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Sun, 15 Nov 2020 19:33:35 +0100
In-Reply-To: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UkuitMRst-PaK7RyynGKTGoGg5E>
Subject: Re: [dns-privacy] how can we ADoT?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2020 18:33:39 -0000
On Wed, 2020-11-11 at 19:07 +0000, Tony Finch wrote:
>
> * Encryption would apply to the server as a whole, whereas the
> working group consensus is that it should be possible for
> different zones on the same server to use encrypted and
> unencrypted transports.
(plus, in another email, Tony wrote: "A nice thing about TLSA records
is they also tell the client what name to look for in the server's
cert.")
This looks like a mistake to me, or at least, a choice that would have
to be made very deliberately.
Today, the name through which I reach an NS does not matter - it is not
part of the protocol exchange like the HTTP Host header is. This
simplifies a lot of things, and allows some leeway for mismatches in
names between parents, childs, etc., as long as they reach the same IP.
It also seems that any 'split' between which zones on a certain IP
support encryption and which zones do not, would make any opportunistic
proposal obsolete immediately.
I'd like to assume that all transports offered by an NS host the ~same
data (ignoring, for a moment, that we might one day imagine data that
should only be seen over transports with certain security properties,
but I'm imagining that such data would not cover whole zones).
In fact, it would be good if I don't assume. Instead, we should
actively decide whether any such splits are allowed, or forbidden.
I note that the phase2 doc has this text:
9. A given name server may be authoritative for multiple zones. As
such, a name server MAY support use of a secure transport
protocol for one zone, but not for another.
So in fact, right now we have written down that this is allowed. But I
think it is a mistake.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
- Re: [dns-privacy] how can we ADoT? Eric Rescorla
- [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Hollenbeck, Scott
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Brian Dickson
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Manu Bretelle
- Re: [dns-privacy] how can we ADoT? Stephen Farrell
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk