IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Peter van Dijk <peter.van.dijk@powerdns.com> Tue, 26 May 2020 14:59 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143103A0CCA for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 07:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fuwdyy8ynA4u for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 07:59:38 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92FE23A0C1C for <dns-privacy@ietf.org>; Tue, 26 May 2020 07:59:38 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 0F2926A2FF; Tue, 26 May 2020 16:59:36 +0200 (CEST)
Received: from plato (e82143.upc-e.chello.nl [213.93.82.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id E14203C0382; Tue, 26 May 2020 16:59:35 +0200 (CEST)
Message-ID: <2ac6ce3570a5bf62d7aa29d4e2b8f3d0d0ca7972.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Tue, 26 May 2020 16:59:35 +0200
In-Reply-To: <alpine.LRH.2.21.2005260933520.27601@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <36E4371F-BCBE-43F7-9D4B-8439B3FF1D2A@isc.org> <aa745f51e4b7fd0955ae9e444416772b32c75dbf.camel@powerdns.com> <alpine.LRH.2.21.2005260933520.27601@bofh.nohats.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Vd15sMnExVb7EL6jJ_21SkyhB-c>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 14:59:44 -0000

On Tue, 2020-05-26 at 09:40 -0400, Paul Wouters wrote:
> I thought my initial reading this was stored inside a DNSKEY was wrong
> and things are actually stored in a DS digest. And DS records do not
> have flags of the DNSKEY, so why are we talking again about DNSKEY
> flags?

When I ask my resolver for TXT validpin.dotpin.powerdns.club., the
following things happen in the resolver:

Queries are issued to root, TLD, etc., until the delegation to
validpin.dotpin.powerdns.club from dotpin.powerdns.club is received. It
looks like this:

validpin.dotpin.powerdns.club. NS	pdns-public-ns1.powerdns.com.
validpin.dotpin.powerdns.club. NS	pdns-public-ns2.powerdns.com.
validpin.dotpin.powerdns.club. DS	17418 225 2 ....
validpin.dotpin.powerdns.club. IN	RRSIG	DS ....

In this test deployment, we have chosen algorithm number 225 by fair
dice roll.

The resolver connects to a NS, let's say pdns-public-ns1.powerdns.com,
on port 853. During the handshake, the resolver receives the
SubjectPublicKeyInfo from the name server.

The resolver then constructs, in memory, a DNSKEY:

pdns-public-ns1.powerdns.com. DNSKEY 0 3 225 [base64-encoded SPKI]

The resolver then turns this into a DS with the normal procedure for
DNSKEYs (https://tools.ietf.org/html/rfc4034#section-5.1.4). This
yields a DS with some keytag, algo number 225, and digest type 2
(because that's what we saw in the DS set). The resolver checks if the
resulting DS is in the DS set given by the parent. If so, we are now
connected securely. If not, we disconnect and do not use this name
server.

> I dont know what you will use for keytag.

https://tools.ietf.org/html/rfc4034#appendix-B

>  The digest type would also be some strange number meaning
> "not really a DNSKEY digest".

The digest type is one of the types from 
https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml, just as
with normal DNSKEY processing.

> So why talk about DNSKEY flags? Where do these appear in the proposal?

The proposal currently has no need for any flags, so the flags field is
set to zero. If we come up with convincing reasons for flags, we could
define some.

> Why make life harder
> by needing to stuff square things into round boxes twice instead of
> once?

Because many registries only accept DNSKEY (via EPP or as CDNSKEY), and insist on doing the digesting into a DS on their end.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email