Re: [dns-privacy] DOTPIN, TLSA, and DiS
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 23 November 2020 14:20 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2D33A0C8A for <dns-privacy@ietfa.amsl.com>; Mon, 23 Nov 2020 06:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FFERxqOq_hK for <dns-privacy@ietfa.amsl.com>; Mon, 23 Nov 2020 06:20:34 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F28BC3A0C84 for <dprive@ietf.org>; Mon, 23 Nov 2020 06:20:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 94DA6224AE for <dprive@ietf.org>; Mon, 23 Nov 2020 16:20:31 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id usKKv90VVJil for <dprive@ietf.org>; Mon, 23 Nov 2020 16:20:31 +0200 (EET)
Received: from LK-Perkele-VII (78-27-99-170.bb.dnainternet.fi [78.27.99.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 4548772 for <dprive@ietf.org>; Mon, 23 Nov 2020 16:20:30 +0200 (EET)
Date: Mon, 23 Nov 2020 16:20:29 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: dprive@ietf.org
Message-ID: <20201123142029.GA3659348@LK-Perkele-VII>
References: <196c57a1f39d73fdbf0e7ee0c597bec2bec94148.camel@powerdns.com> <a4e2f776-91b6-f825-03f9-8287e7b29509@nic.cz> <2a597c2a41774f39786b9c1f252494ce2bb7f017.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <2a597c2a41774f39786b9c1f252494ce2bb7f017.camel@powerdns.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XOyyna8Pz6fk80dqmFqXFdun684>
Subject: Re: [dns-privacy] DOTPIN, TLSA, and DiS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 14:20:36 -0000
On Mon, Nov 23, 2020 at 12:49:25PM +0100, Peter van Dijk wrote: > On Fri, 2020-11-20 at 20:47 +0100, Vladimír Čunát wrote: > > > > In retrospect I see that what I wrote is very similar to Manu's > > "Do9" except for replacing WebPKI by TLSA, with all their pros > > and cons: > > https://datatracker.ietf.org/meeting/104/materials/slides-104-dprive-dot-for-insecure-delegations-01 > > WebPKI has excellent latency properties compared to TLSA. In more > words: a parent-side signal that does not pin keys, but does > authenticate names, would allow WebPKI based DoT with zero extra > queries compared to current non-DoT operations. The WebPKI folks would really hate that, due to the serious ossificiation concerns it would pose to WebPKI. And by history of DNS, those concerns are very much warranted (DNSSEC root key rollover was the most obvious example). There have been number of incidents where non-web use of WebPKI has caused significant headaches for WebPKI folks. On the other side, there are very real concerns about security of WebPKI. Some of the approved validation methods are downright scary. Then security of WebPKI fundamentially based on DNS (despite it managing to collect more single points of failure), so using it in DNS would cause cyclic dependency with non-obvious implications. Then WebPKI can not do service authentication (it is not needed for the Web). Then what should the contents of the trust store be? While in theory, TLS is capable of negotiation here, in practice that does not work (because clients have too many trusted CAs, and servers have no room to manover in). So one would likely get interop issues. Then this would cause issues if there are ever two incompatible transports, e.g., DNS over TLS and TLS over QUIC. The server operators would prefer not to have involve zone owners in what transports they offer. If one has secure capability advertisment from server operators, one could just put the authentication data into that (but there would be some concerns about many queries to various servers, even if the advertisment is just one rrset). If there is DNSSEC, stapling the chain would offer the same latency properties. Of course, that turns out to hit some layer-9 issues to specify (there was draft about that that got kicked out of TLS WG for being too toxic), alongside with above-noted issues with incompatible transports. -Ilari
- [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Brian Dickson
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Ilari Liusvaara
- Re: [dns-privacy] DNSPKI, not WebPKI Paul Hoffman