IETF Logo Mail Archive

Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt

"Reed, Jon" <jreed@akamai.com> Sat, 23 March 2019 00:58 UTC

Return-Path: <jreed@akamai.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE74B1295EC for <dns-privacy@ietfa.amsl.com>; Fri, 22 Mar 2019 17:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1EfnD_pYrVY for <dns-privacy@ietfa.amsl.com>; Fri, 22 Mar 2019 17:58:51 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BACF13119E for <dns-privacy@ietf.org>; Fri, 22 Mar 2019 17:58:51 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2N0vBpV019490; Sat, 23 Mar 2019 00:58:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=ZL0zKCAZl8q6DlW54y6ifC/wUmMelCmiVQ/V7EcJirg=; b=biCX8Ai+8yPxgSos/R19hLgDDt8tevD8nmZqLDKwu95wcjm0ZuDdGkqaA27Le4ks3qij mBHryiHWlJHOY8wHS0G6jG2PxGBuFcLcBIvcaMg7Q8IxqefFXMfNPlsz026jJNQiXiZH ZJg/51GN1c6UHpVSfwxbYgJ4XgQj2T8BdVc4SIqqhoKzLtKcBY8gj5tD/GMwdOG0mR8i HQlYx9MLBmrvsYiJ9dWBwyB2ur1PXoGKgH9bSzp3Him6xtE1H8oGyVYGc+rtQiRONMj1 OSoVWNCRjehVP4kUbmm5dqeiQOePWpIFxvpY5EQZy6dO4keE6s+Y8PB3HwOR/4Qwortx Gg==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2rcjc4venb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 23 Mar 2019 00:58:50 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x2N0l8MZ032062; Fri, 22 Mar 2019 20:58:49 -0400
Received: from email.msg.corp.akamai.com ([172.27.25.30]) by prod-mail-ppoint3.akamai.com with ESMTP id 2r8vg04nng-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 22 Mar 2019 20:58:48 -0400
Received: from USTX2EX-DAG3MB6.msg.corp.akamai.com (172.27.27.28) by USTX2EX-DAG3MB3.msg.corp.akamai.com (172.27.27.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 22 Mar 2019 19:58:46 -0500
Received: from USTX2EX-DAG3MB6.msg.corp.akamai.com ([172.27.27.28]) by USTX2EX-DAG3MB6.msg.corp.akamai.com ([172.27.27.28]) with mapi id 15.00.1473.003; Fri, 22 Mar 2019 19:58:46 -0500
From: "Reed, Jon" <jreed@akamai.com>
To: manu tman <chantr4@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
Thread-Index: AQHU2CrgpgV5awH6UUig5HjUAaFkaqYYh7QA
Date: Sat, 23 Mar 2019 00:58:46 +0000
Message-ID: <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com>
References: <CAArYzrLNWFBPU2p06mOOBD2GFGKCoM65Lh8wN6vpNx8QuDArwA@mail.gmail.com>
In-Reply-To: <CAArYzrLNWFBPU2p06mOOBD2GFGKCoM65Lh8wN6vpNx8QuDArwA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.100]
Content-Type: multipart/alternative; boundary="_000_6EF66B71918D41D4B784814804A87D78akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-22_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903230004
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-22_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903230005
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ayamwNgWyr1366HBwujHpeqKGTA>
Subject: Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 00:58:54 -0000

I’m glad to see this proposal, I find it personally preferable to the dnscurve-esque proposal with the base32-encoded NS names.   In both cases, however, the examples assume that the nameservers are in bailiwick for the zone.  This is not going to be true for any side using a cloud authoritative DNS provider, which is fine.

However, I also think it should be possible for cloud providers to offer DoT transparently, without customers needing to opt-in.   (I’m open to rebuttals to that, but I don’t see any obvious drawbacks.)   I’d like to see the ability to scale either of these proposals to cloud services, but I’m not quite sure how that would work.

Consider the following delegation from the gTLD servers:

example.com   3600  IN      NS     ns1.clouddnsprovider.com
example.com   3600  IN      NS     ns2.clouddnsprovider.com

Now, under the clouddnsprovider.com zone, the provider can create the necessary DSPKI or base32-encoded NS records for “clouddnsprovider.com” in the gTLDs.   But under my reading of this proposal, that means DOT would only be used to look up names under “clouddnsprovider.com”, not “example.com”.   But, the recursive _knows_ that ns1.clouddnsprovider.com is capable of doing DoT (assuming TLS negotiation was successful).   Therefore, I think it should be able to use DoT to lookup names under example.com (or indeed, under any domain which has the same (ns name, address) tuple.    I’d like to see this use case explicitly addressed in the text of the draft.

Unfortunately, I’ll only be able to attend the first 10-15 minutes of DPRIVE before I have to leave for the airport, but I’d be happy to discuss this further in a side-meeting or ad-hoc.

Thanks,

Jon


--
Jon Reed <jreed@akamai.com>
Senior Performance Engineer
Nameservers Service Performance



From: manu tman <chantr4@gmail.com>
Date: Monday, March 11, 2019 at 12:52 PM
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt


During earlier discussion (post virtual meeting), there were a mixture of feeling as to where SPKI may be published, here is one proposal bump (through the rush of time) to publish it in the parent zone.


Manu

———



A new version of I-D, draft-bretelle-dprive-dot-for-insecure-delegations-01.txt

has been successfully submitted by Emmanuel Bretelle and posted to the

IETF repository.



Name: draft-bretelle-dprive-dot-for-insecure-delegations

Revision: 01

Title: DNS-over-TLS for insecure delegations

Document date: 2019-03-11

Group: Individual Submission

Pages: 7

URL:  https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01.txt&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=PTJU2WP56vNJ3OnZN8sxwflDDPzJTP2kbMe7zyinhT8&e=

Status:  https://urldefense.proofpoint..com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations_&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=SSXjldGIOCQ8_CAJnci1qab0INy6UiD75Fu71efQyW4&e=>

Htmlized:  https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=gwClruoLv-Mu6Sxl37_kCyxOu6Vx5QBV1ppRA0_m5aw&e=

Htmlized:  https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=MyhcqxSfzLUA2UhuM22MPzog5cLn6OxC_EwQPH7Qe6Y&e=

Diff:  https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dbretelle-2Ddprive-2Ddot-2Dfor-2Dinsecure-2Ddelegations-2D01&d=DwICaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=aRgHK985qD76PXQaxDKSjA&m=6YEGDy0nuzoKlGCjHJ86Ys_n2UOt0iXWrohw3MEa6zI&s=aXUkzkp72a1sBvkWpiF9xYstuFWDnXcVoJTRRtLN2tA&e=



Abstract:

This document describes an alternative mechanism to DANE ([RFC6698])

in order to authenticate a DNS-over-TLS (DoT [RFC7858]) authoritative

server by not making DNSSEC a hard requirement, making DoT server

authentication available for insecure delegations.









Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=_xTHEvws93UZ7jl9jhO7Pg&m=Wd41zdFrBer8CbvE8IcsmswCHFw9t1jpnqp_Gc9ifmk&s=4W3NnQBFNBwU4tl-AbrJMTVqBokRnB5hZQQuQZNlinQ&e=>.



The IETF Secretariat

v2.23.0 | Report a Bug | By Email