Re: [dns-privacy] how can we ADoT? (with github url)
Tony Finch <dot@dotat.at> Fri, 13 November 2020 17:28 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913993A0FC1 for <dns-privacy@ietfa.amsl.com>; Fri, 13 Nov 2020 09:28:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sNQNpK8G6yAt for <dns-privacy@ietfa.amsl.com>; Fri, 13 Nov 2020 09:28:55 -0800 (PST)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740A33A09EE for <dns-privacy@ietf.org>; Fri, 13 Nov 2020 09:28:27 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:37136) by ppsw-40.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kdcs3-000GdE-mL (Exim 4.92.3) (return-path <dot@dotat.at>); Fri, 13 Nov 2020 17:28:24 +0000
Date: Fri, 13 Nov 2020 17:28:23 +0000
From: Tony Finch <dot@dotat.at>
To: Manu Bretelle <chantr4@gmail.com>
cc: DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAArYzrLJxJG9ez3ogWj17DsXtEko5DADL-B8ticdE7CJxpZw7Q@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2011131711150.11642@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk> <CAArYzrK26rGAxtJVT=-+QY0Ub4bp8eQXoNxuWPwt=9dv9_+h1w@mail.gmail.com> <alpine.DEB.2.20.2011112106040.17166@grey.csi.cam.ac.uk> <CAArYzrL4R7FvbKJ4zVCPVZ4Zz8iBTHQ6PF=66NimtDYd9VuK+A@mail.gmail.com> <alpine.DEB.2.20.2011112249560.17264@grey.csi.cam.ac.uk> <CAArYzrLJxJG9ez3ogWj17DsXtEko5DADL-B8ticdE7CJxpZw7Q@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/bhr_kxGAD15G80O7QihTFY6_MFM>
Subject: Re: [dns-privacy] how can we ADoT? (with github url)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2020 17:28:57 -0000
Manu Bretelle <chantr4@gmail.com> wrote: > The "cloud provider" case, e.g few name servers for many zones is also > tricky. I prefer to think of this as the normal common case, since I'm not a cloud provider and I have many more zones than servers :-) > I think in those cases, TLSA may be the best bet as this is under > control of the nameserver, not the zone operator. Then there may be issue > with being able to opt people in/out. I think in any cases, if you want to > be able to gradually enroll your customers while giving the the choice to > not be enrolled, you essentially need to provide them with a new NS that > supports ADoT and have them move over. Yes. It can be just different aliases for the same server, where the aliases differ in whether they have associated TLSA records or not. (I need to write more about nameserver aliases.) > That hint could be downgraded, but if not, can be used to fetch the TLSA > record over an unauthenticated TLS connection and then validating it. I > suppose it just obfuscate the zone, which may be useful *if* multiple name > server names are behind the same IP and/or name server name matches the > zone name (because TLSA record would be against name server name, not zone). > Unless the query to the parent zone was using ADoT, that information may > already be known from someone on-path. Yes. (I think I covered all those points in my notes.) Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Fair Isle: South 6 to gale 8. Rough or very rough, occasionally high in northwest. Rain or squally showers. Good, occasionally poor.
- Re: [dns-privacy] how can we ADoT? Eric Rescorla
- [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Hollenbeck, Scott
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Brian Dickson
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Manu Bretelle
- Re: [dns-privacy] how can we ADoT? Stephen Farrell
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk