Re: [dns-privacy] [Ext] Threat Model

Tony Finch <dot@dotat.at> Mon, 04 November 2019 20:37 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76C7120041 for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 12:37:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvvTDRvdU_q7 for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 12:37:19 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1A72120018 for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 12:37:19 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:44568) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1iRj6B-001Cdz-0N (Exim 4.92.3) (return-path <dot@dotat.at>); Mon, 04 Nov 2019 20:37:15 +0000
Date: Mon, 04 Nov 2019 20:37:14 +0000
From: Tony Finch <dot@dotat.at>
To: Paul Wouters <paul@nohats.ca>
cc: Warren Kumari <warren@kumari.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Eric Rescorla <ekr@rtfm.com>, Paul Hoffman <paul.hoffman@icann.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca>
Message-ID: <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/VI7VXB8rO_Cvl1LIAXoXfeRlGyk>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 20:37:22 -0000

Paul Wouters <paul@nohats.ca> wrote:
>
> The right way to do this is a DNSKEY flag, which is protected by the
> signed DS at the parent. Similar to draft-powerbind for the
> delegation-only domain.

That's per-zone, though, whereas DoT support is per-server.

DS records that somehow encode NS target names in their rdata might
work...

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
partnership and community in all areas of life