Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Petr Špaček <petr.spacek@nic.cz> Thu, 21 May 2020 08:00 UTC
Return-Path: <petr.spacek@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3733A0ABE for <dns-privacy@ietfa.amsl.com>; Thu, 21 May 2020 01:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OttpJilnAz53 for <dns-privacy@ietfa.amsl.com>; Thu, 21 May 2020 01:00:06 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DFE43A0ABC for <dns-privacy@ietf.org>; Thu, 21 May 2020 01:00:03 -0700 (PDT)
Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2a02:8308:a13e:40f0:b882:23f3:9ccd:6a68]) by mail.nic.cz (Postfix) with ESMTPSA id 273F613FDF9 for <dns-privacy@ietf.org>; Thu, 21 May 2020 10:00:00 +0200 (CEST)
To: dns-privacy@ietf.org
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com>
From: Petr Špaček <petr.spacek@nic.cz>
Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCJQZXRyIMWgcGHE jWVrIDxwZXRyLnNwYWNla0BuaWMuY3o+iQJUBBMBCAA+AhsDBQsJCAcCBhUICQoLAgQWAgMB Ah4BAheAFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl4QsCEFCQeWKZ8ACgkQzo3WoaUKIeRd HBAApKY18pJ+g172AeAefYwPoIZRM5WDNopHw/l7ErfMNzm9Da0/gOy8CUH2gA+qF+ufryIs DY0akLVaL7X21+hAp3gFX+/GHqSjJcmWvEfU7eoLl9OxE8NvQd2V/DPVDqnQscTUUba5taAU OM51bU+vCNQXlT3uuntIOwwbB9W6hMSe16EhB9mzj6hozyTemsfHTjoNJbVrhLzf3Idnp3fY rO0qfqOlwIi+5YWT0SHSVx6zmOBStzT4otRtFyfKD+CXdFOt40Dw1qYlZt2ms3kcaEk/+Uub SKZhr5IsSE5rV8TasKiQvP/ToxPyk1QkqCrzzroGrkMHfzW7MACvpKWnQAjhiVuO++Ne4XMJ h8zL0c31u5MQ76zckowHtGy9plwKFoIrtRB2UgwjtvTSkXn7nC6YVoDlCe/WD7PYfpig9iaO bQwP3fAq+sx+BU6eIZC7edZU8rqi3SWrg4p9jH0SmU1BwO7dwgbMyAEYpiv+mNu9pIBFxLqL ihSk+1M+Y3EaJP0QeKFI6qeZuJAOhkO4Gi7lTLXo4AepjnKPzN15LJJBg3W9t9Zss/Hp11se r/N87fn6XlzV+yfq0gYwJufF2MsDVaU3NQhT/0cXks6Gh4MvUcEircxTaAbaEP7mbMc5o4S4 n0V+MoU+ohqRrPW9gngGxIziKeFey4RBIKfpLgC0IFBldHIgU3BhY2VrIDxwZXRyLnNwYWNl a0BuaWMuY3o+iQJUBBMBCAA+AhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEvibrucvg WbORDKNbzo3WoaUKIeQFAl4QsBwFCQeWKZ8ACgkQzo3WoaUKIeTkEQ//eyj4Odb1AoZJk6Y0 wkPG+9vvC1UwIOMPlerIzHv3ukrSCBdNQG/1vfaDH/xM8ywHHGKnvrIoGbuAyO6llLvo8Mir JwnqRmcChkFPwx78piJPHdWGQzQT9lWObEgwwonB9xQmxU7ih8WKfBpB+ME9knYycoYJwXiJ vLTjQg5Xe2eXa8fbiNY+v2B3Wwza41Ke7dzYUcdPAMaDPhX4x3GeWUv+y1WP7mFAi2JxQV/L ZZuiYVDR526wwWOe6DZyUZC9S6qD6qaPvqJ/j3hzgSBpJUvSDlvmsdWAZZd9bUbMgU4BpwLv 7yh/6NyQGRs3SuCjmRKek7rS+dngqYNAYISSKnFDvst00kGBmT8/Ys2oB/VXqAsP+ej0Qp1g XyV2gfIbzSIHwFOXgX7+fVN8qqqcToOZJ8ibfbshSrrEZ69QGHTZcU/wbVRmLl1Nrk0BEEd8 lTFhbl13eJkUN5jlWdTofW/mYoccvySMJP7IzVri+6UjS2JB/CcCR/v9g0vl2tmt5hc+XGNu m6sVfLcF2fbG+tkmm1tjzwSYcbhGetQ8Gq0mtpuglnetRPLqvEvbcJBISMG2Dnu1o7epMVbe qmFqRuYrEWncuK/k2BCla1G+a+0PUwNdRXHpBlHnWnaE9FzT8GU0L23p1dcj/vCUH9Z5b9uz OygWMJcrpXjAxMUsUPa5Ag0EWGuL/QEQAMWnhl/FKgpMBp3QiQUr0JWhnpcrLBgsU08+HPD7 6Bu8cvYRftCqESypuxYxikfiNz8qrnk5hhT+UhxQu4PRj2gNHbpcVCi7QV5I2fNEZvrTtTw4 U49D56L3YybVg9DfcY+PwaptCmQCnfmx+MnrhMf8RBjfxE3feOwdGSHC1ZT/rKj5FmztwVG6 KG4uXwW6g/QDm7/H6U014gGTx/bstVisXzU1IMMNiOc5sJqH5AvMYDAYO2NaQFVrCmgdbCrn w5BLHmmLDI4KcUl4U41FxNGA7Pbf2uwQDkt5h+Y4Zyc3AboIegnll1YnDk5X0GgDtRMcb3nF UdXlCISbqrqKAjrApXZG0VLtGh7Ra3wfuALjUl6popNSwaTPq4mtoXyaYrJLwT6ZKHd2Oap0 k0cXWkmorEDE9gD1jSM+dhZ4Qfh8945HZi8GPO2zJ72c6/UC4o27Td27OhzJT3kN8/+XA0mv lIf3XxV/W3tZwmP12Don0lzks7CDXdCvfVO5mKOsx2ozsskoL/S06RJ5c2gyUck4ipuqbs3j XgjQfK1sQ1/sCLIPE0DlPMkqQHR4E8ubYUxAIct9qwkeBsKtC63qdjDd/caff48PMYQcj2x9 C/+Zi87vuhFIbD7cfLVOjEidwiKsDJGlrkp08uSUOkAO+l+ReO4voh9lnQ4hYotJFr8NABEB AAGJAjwEGAEIACYCGwwWIQS+Juu5y+BZs5EMo1vOjdahpQoh5AUCXhCwQQUJB5YpxAAKCRDO jdahpQoh5KUKEACZrrC0gOit1Ur0UQ/DL0wqIFPGmNW6bvBuyASm8HMpBA/ip6SqIebejC/Q lGU88Of7csaadKXlcAtN2W2eyKX+pwrIGlL9+laHDu+Gn8wG+0uUDSIEIS7juhycLRa2rNwh dx89ArwmAs+UNglXPqIc9nfMXK4tXdJSAjk7yekd/0WRc2fjsY292C4hQ51/vUpMpU+cDFw/ bwW7t7HEL/oRkRpDkPufFSLPfGVX2rqRnKaDM4xmpUXB5N2PC65umPxRq/YY3f+j/jAfaWWB 27SFiRpC4T48HNse0ZGKoeWnfYZpyYqnIRSURLu0ykYr9B90S/MteKxHDALNfllocQOgM0Bn Ama5S+cVqew97CJEAthW7PGe6Oa3k+dH340svGvrTFdJGH/3hCGDw3b3o4vV8F653fBk0qHJ UO7QoFaCuTFhQhCUEP3EVGFeT/TR4lGGUtmdeiyUgymzp3yVVYNgf+t4LO/+CIK8uFQAA+cx xNlj5NXS5+vyy2bQ8paZIw0B0pInOSvxQywwLPr8hv0gnOLMTmBPwPAsJsW4wwFe6CIHSNW1 Ctj7N4X/CwAzGZ1s8jTuWXoaJT7UaycXQpi8mRnMBoDM/mS/xiKMlXPbAbKgbhaVpziTNJzo IX3KjUN/6ZGVnN22b886q+lffrx5QYuxHwIA0gHzJiBopEjrOQ==
Organization: CZ.NIC
Message-ID: <80718001-4929-de0f-870c-b3f081e64a31@nic.cz>
Date: Thu, 21 May 2020 09:59:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US-large
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_Zf5TGVAcUfPRrQ_7o_NPnmnlZs>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 08:00:09 -0000
On 19. 05. 20 11:24, Peter van Dijk wrote: > Hello DNS privacy people, > > please find below all details about our proposal for enabling DoT from > resolver to authoritative. > > This work is based on Manu Bretelle's presentation in Prague over a > year ago, after which we spent a lot of time figuring out how to > squeeze the DoT signal and key pin into the constraints of DNSKEY/DS > records. > > We have some running code (linked in the draft) to show feasibility of > the approach. > > The draft is managed on GitHub in .md format at > https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin I support this. It is hacky but has very nice properties which are not explicitly described in the document: - It does not require any extra round-trips to determine if DoT is supported on the auth side. - Is downgrade-resistant. - Potentially closes all cleartext leaks (if parent domains are also secured). - DS "compatibility" makes it deployable in practice. - CDS/CDNSKEY makes management from auth side easier. Personally I think any proposal which requires major protocol changes (e.g. new parent-side record type) will take many years to get deployed, so this seems like feasible way forward. Petr Špaček @ CZ.NIC > > Looking forward to your comments, > Peter, Manu & Robin > > -------- Forwarded Message -------- > From: internet-drafts@ietf.org > To: Peter van Dijk <peter.van.dijk@powerdns.com>, Emmanuel Bretelle < > chantra@fb.com>, Robin Geuze <robing@transip.nl> > Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds- > dot-signal-and-pin-00.txt > Date: Tue, 19 May 2020 02:18:23 -0700 > > A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt > has been successfully submitted by Peter van Dijk and posted to the > IETF repository. > > Name: draft-vandijk-dprive-ds-dot-signal-and-pin > Revision: 00 > Title: Signalling Authoritative DoT support in DS records, with key pinning > Document date: 2020-05-19 > Group: Individual Submission > Pages: 10 > URL: https://www.ietf.org/internet-drafts/draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt > Status: https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ > Htmlized: https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-vandijk-dprive-ds-dot-signal-and-pin > > > Abstract: > This document specifies a way to signal the usage of DoT, and the > pinned keys for that DoT usage, in authoritative servers. This > signal lives on the parent side of delegations, in DS records. To > ensure easy deployment, the signal is defined in terms of (C)DNSKEY. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine