IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Revised opportunistic encryption draft

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 18 November 2020 19:13 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567D93A09D4 for <dns-privacy@ietfa.amsl.com>; Wed, 18 Nov 2020 11:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9MQFYhWPCre for <dns-privacy@ietfa.amsl.com>; Wed, 18 Nov 2020 11:13:08 -0800 (PST)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8A9A3A0997 for <dprive@ietf.org>; Wed, 18 Nov 2020 11:13:08 -0800 (PST)
Received: by mail-ua1-x933.google.com with SMTP id x13so1050622uar.4 for <dprive@ietf.org>; Wed, 18 Nov 2020 11:13:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AzRIXO+gmpUeiev9joRpFxuoWNvWR3lbeQOJz7LZ+C0=; b=IrCS32F/YAc2tKBQs54rE4ntJE8U4qGWSsp7kbwi14NnhfJNLYi6kT+qtOWvCPCAnX 3rl+7N0f/Tndq7d2UJGIXr1JpTYEbw3TEQ+Xw3aYsjO/2Fa049ZYNCwSC+xoRFQHLPk/ vSO9yB7NvNO0h3q4HbdloHCxvCAYmw2wfPAy17LdIDhLMCOG113jKBNRTrf9hWiot23w D1UMuahXUf8z62Ims4DrnZsFlWmCcd4DykYfoBos+dHrq8gr55aqWPTquadNYtPFhjZA UiL54HYbWnlnxwXry67/a+4q+eeXR9Pur6/Kz+tsAfoWvG1C1kd8wLespsBd1IbkyGkT U2dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AzRIXO+gmpUeiev9joRpFxuoWNvWR3lbeQOJz7LZ+C0=; b=ga+Whd0Eb4ZxY0qEZHbzT6QLjzC6sP2NE9ekx2gc4yCYMNpQXNPayJLl0+4UHJY9yK pGSC0axap8C+ghaNWeAtfClKuy36MGC0c4XoLp+0+L/5pKp4fHDJewKaG7KClyy+blt7 orCgFuCO9dZh6W5OGYPhF4ol29OXec2RgbbvfKsSMfncVTVaV7ofOf/Jm+xgU9oXB6+G 9BGwMPp+QkeLBuNr1hvxeTwa2b5uv8XhSFpJDwEepluDsqqUvg0cgJLHwCQC5lfp3QU3 uFHs2HqBx66+5xWgc6GEJdclDc7eiCxecgLdfZUipg5p2QRkXok8z5FaH7s9dSRmyZfh 3/Fw==
X-Gm-Message-State: AOAM532VsydNAnFn9y2+IEfc+wCcK2qfK0oueipPQgOjl8RNqLOK4HSN XIGJTP1uN8ytaEqQU5vkp7khLNmwh8jiR6ZoAm4=
X-Google-Smtp-Source: ABdhPJwvStZyYmrsdxT3hcYAzz8thgbydqDjwAoo4rnPHi32Ae7V3eqBuItfYRbqYENRwbf6S9w/RAciHUrAOYERJgE=
X-Received: by 2002:ab0:24d2:: with SMTP id k18mr5794852uan.48.1605726787825; Wed, 18 Nov 2020 11:13:07 -0800 (PST)
MIME-Version: 1.0
References: <C0CBEBC5-D28A-46C0-AE50-078710015466@icann.org> <alpine.LRH.2.23.451.2010301202350.2587497@bofh.nohats.ca> <2444B21B-9465-4A5B-97CC-AF809309300A@icann.org> <CABcZeBPZFY9aQ5Nb0q_4uTMFRbY3-S2rus4vaeLaUmvU+h_ftg@mail.gmail.com> <2D07CBD0-30CE-418E-AD05-02E0A5EDB79F@icann.org> <CABcZeBNdNnyjzk0mOtfix=OvVTEpPzegEw_V5QfKvYtkFV+zOw@mail.gmail.com> <CAH1iCirz27EoahrYE8z9AV=Cf=A-i=iPP1deOYPWO8_k1mL+XA@mail.gmail.com> <27ddd3bde1ea11c857a96346b6f4ba5aa8b1d92f.camel@powerdns.com> <alpine.DEB.2.20.2011172300480.9850@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.2011172300480.9850@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 18 Nov 2020 11:12:56 -0800
Message-ID: <CAH1iCioGyW5aO8ooCQpr1OBjZyzOppWsvxWGEnMqqiSvD3zxPQ@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cb747205b46666d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XP1yZ0qzcWdtb6NuKwi04zVXk0o>
Subject: Re: [dns-privacy] [Ext] Revised opportunistic encryption draft
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 19:13:10 -0000

On Tue, Nov 17, 2020 at 3:30 PM Tony Finch <dot@dotat.at> wrote:

> Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
> > On Sat, 2020-10-31 at 13:52 -0700, Brian Dickson wrote:
>
> > > Using TLSA records at _853._tcp.<NS_NAME> in a signed zone provides an
> > > unambiguous signal to use optionally TLSA, in a downgrade-resistant
> > > manner.
> >
> > Not downgrade-resistant, until NS names in delegations become signed.
>
> Or until the parent nameservers support authenticated encrypted
> transports.
>
> Even so I think delegations should be signed.
>

So, the parental NS records are not authoritative, and thus not supposed to
be signed.

Has anyone ever experimented with how a signed delegation NS would be
handled by resolvers? (This might vary by resolver software and possibly
version.)

The signer field would differ between the delegation RRSIG and the apex
RRSIG (on what would otherwise be very similar RRSETs).
I.e. if you had zone.example.net NS ns1.something.example.com (and
friends), the apex RRSIG would have signer name zone.example.net, and the
non-apex delegation RRSIG would have a different (shorter) signer name.

Actually doing this as a protocol spec change would probably require that
the delegation RRSIGs would need to be cached differently (in the same way
the NS records are cached differently), and used accordingly.

The standardization of DNSSEC was before my time, so I don't know to what
degree this was discussed back then.
As much as making changes to those RFCs would be difficult and potentially
controversial, this might be the path of least implementation difficulty.
The big thing would be the signing overhead on large authoritative
(delegation-mostly) zones.

And I'm not sure whether the DPRIVE use case is enough of a "new
requirement" to justify changing the spec. But I think that is open to
consideration at least.

Fodder for discussion rather than a serious proposal, at least at this
point.

Brian

v2.23.0 | Report a Bug | By Email