IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Requirements for authoritative server preferences

Eric Rescorla <ekr@rtfm.com> Wed, 04 November 2020 18:34 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D463A15BC for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 10:34:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JffSpSLUiC8g for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 10:34:05 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 447143A15BA for <dns-privacy@ietf.org>; Wed, 4 Nov 2020 10:34:05 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id 2so24013910ljj.13 for <dns-privacy@ietf.org>; Wed, 04 Nov 2020 10:34:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aa8Pdb9o5BglQetWEpMyQov4gMm4cj7qKWvJbddxVQQ=; b=Esp3qYvlSqtMbZnrfncReuTorLTI4RzfJX84jyDqUI6aJr3pngDgCoxwS4hHJ1u6fs Pl12pWryzuKDMlfs/4utu1piQwIPFEw+4d9/nWnMKUD+YWseKhjUH50oM2rFY6fYvqX8 hpHU/ur3AePlWh92NC0Ssin10k/QX82iddkdU/mozAPFl3GtOcfvgrZaXPpRw/o199qq OXRCm0mJfw8RhZQbtPqlJHFA/NQTZoZ5AyRMfb21GYBWyuUbPGfoeGpxrZpkbuEwEt+7 VzRjWBldfmAcus8Nc9jEs3XtF9CulPF9HRHAtHN4LwF7jr0vNbRc+9ns4zpgtTFJSrek fkdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aa8Pdb9o5BglQetWEpMyQov4gMm4cj7qKWvJbddxVQQ=; b=mbhuf+WFjh3qgssTouPjj6sVLlBYwSvqhO5lvRPytiGMiFExODblzoGhev+gTSuxqW PpmLx+HRIGxTJ1iBIfojawg5tSbmr0EwBmtF6emS/gRHuFe/pspqEzqJIHtSRfyILVky a0SRNN0bHMej0aF3FQpm2+tNerOiHRSD1ryJvg6/JFmnQi1RQb85d+7C4nieltruJWF6 YUpWinsqbeHSIUIee//pEqZbmEqQJVbooqY7+jqCZWrClCmilRnifVfnwxW/8DEaCISA gsdSRHaEpGIbWidfDaEm9FuES+HBOHRnxdqSfGjy2jtIlcrZ179jC551ezSkzGQBdHoI cdFg==
X-Gm-Message-State: AOAM531kRaJcg/ScZZ2XPisqblCA7CVvYcYXA1iQBeIIz0e/X0L11WjL yCmLMZ7H5h4FX1jRC4p2PLuBqpJnlzVpUiu394WPIg==
X-Google-Smtp-Source: ABdhPJwKesrNhgFhOWjL52M+AMrHecXOB8iGyU6dQszQILhUfWglC1YI43W8A0jxR0ClY2wGuTQEXqiekqp8siEX1Nk=
X-Received: by 2002:a2e:81da:: with SMTP id s26mr10758466ljg.184.1604514843287; Wed, 04 Nov 2020 10:34:03 -0800 (PST)
MIME-Version: 1.0
References: <160435765311.18774.16063151114758509438@ietfa.amsl.com> <1E8597EB-C856-4DC9-A42D-8B2142501C7A@icann.org> <CAH1iCiqT0NV=YB7zY1tYbVM1W2HcWa8OB-sA=OvBz8qK2MYrkQ@mail.gmail.com> <04FB89A4-0BAF-407B-AC53-817AB9D48122@icann.org> <CABcZeBN0NDYLG55W9ecW9M3Q4jBOT9Ss7C4YR5pQiJ5RKFMEFQ@mail.gmail.com> <D3303DB1-BC19-4213-B033-7E6EFFF69E29@icann.org>
In-Reply-To: <D3303DB1-BC19-4213-B033-7E6EFFF69E29@icann.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 04 Nov 2020 10:33:26 -0800
Message-ID: <CABcZeBN0RYv9HXptQGLtS_zog2YqvQ-i0s4iEKWZa4=NXC=orQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045749505b34c39f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/W7yi8RzbL1_3_Fb12Cnj8HCSryw>
Subject: Re: [dns-privacy] [Ext] Requirements for authoritative server preferences
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 18:34:07 -0000

On Wed, Nov 4, 2020 at 9:41 AM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Nov 4, 2020, at 9:18 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > On Wed, Nov 4, 2020 at 7:11 AM Paul Hoffman <paul.hoffman@icann.org>
> wrote:
> >> The prevention of downgrade attacks is not needed for the use case that
> has been described so far (opportunistic encryption). It is only needed for
> the use case that has not been described (failed DNS resolution when
> authentication is not possible).
> >>
> > What do you mean by "has been described"? You basically just described
> both of these.
>
> Only basically. So far on the list, only part of the mechanism (do
> authentication) has been described. The rest of the mechanism (what to do
> when authentication for the first server tried fails)


Sure, one would need to define the mechanism.


and the use case (why you would want to fail DNS resolution) has not.
>

It's not that one wants to fail DNS resolution but rather that one does not
want to send one's query in the clear. I'm not sure what more needs to be
said there.

-Ekr

v2.23.0 | Report a Bug | By Email