Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
Andrew Campling <andrew.campling@419.consulting> Tue, 16 February 2021 16:43 UTC
Return-Path: <andrew.campling@419.consulting>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E2FF3A0B92 for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 08:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUBg0ufMTbCJ for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 08:43:57 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110053.outbound.protection.outlook.com [40.107.11.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D36F3A0ADD for <dprive@ietf.org>; Tue, 16 Feb 2021 08:43:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hLCSVZRrOm5JlMpYa+olJHy1Ule+2Ona++ZC9aG4LIx5+jec10b22tNmYT/YeK+3qZbspiYiylo9E//fmuZs4EMK6peR9QM4PkKGmKAXAn7waS95vP6kZakaUPbvM3vQIm9GXUXqN6bQ8J4EUfcWUENyn+2e/iH+TChEJ++iWTsvBKqz6LUqGCLpQm52ujUb8ooUeqmxIiSCyrrRZY/O3qeGjmTCMlAlHOGzsnfdtzujxQrvB1KdgiNfTYUrO8RakoA8FHWzYDehHXK4+hDj6pYJjrBtcLwdmKKDUd9xkpOqabZlB9nCgQ87ktHpU512oePZHqwHbNWkSMR9a7MbaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kSb+SYg6sH1g2O9gGNxFw8c56pHWMD1HCoMnUc5l358=; b=Ct2VGcJtXOmy+bmmOzwLFbl4qoofXjSATOfbhocHv9xwN0EFK66WTy3PN/aWNrO/GojyUjbNsX+NDD2uHMPrh0ufDI2Jt4/sBCeuGQcxwLIAFILwbJxDU10kLqFB4Qi0uSlZa+rBrtgLWg3XQez5HOiiEl8Cil8+X8F+6+NmL+QjxzMZ/yXH+2yQ4F/rKdNYcLXD+fRa4G+M+a7QlP02Ra2HD96UYNzepXAIW6Auzaae+3HDw35tVXqSbe8bYnt1udLj/t67dGYbVAbHTRl29Uz2asAE34N2nf5O344SBc2dsxSBXebh+/SBWgesf27bybacsJAZmTKehX4MTxWVvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kSb+SYg6sH1g2O9gGNxFw8c56pHWMD1HCoMnUc5l358=; b=HOjTFzmKRz0GyVCC0dPvLxUKyTbjy3hLvyKYQsLq7Wyh33aRtdS4YxAX0zLjZax4Ra/P8CCOJhm10PuJyHGCkBLDc1flo//VSlOD08zS15oy21zyyfE82X9XXBS/59upZ24GyaMHy85A0kO3rjoHb8ykxwlgLb0NKgqoyxmM2hw=
Received: from LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:71::15) by LNXP265MB0587.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:12::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.39; Tue, 16 Feb 2021 16:43:51 +0000
Received: from LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM ([fe80::5952:d607:94b:41ec]) by LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM ([fe80::5952:d607:94b:41ec%6]) with mapi id 15.20.3846.038; Tue, 16 Feb 2021 16:43:50 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>, Paul Wouters <paul@nohats.ca>
CC: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
Thread-Index: AQHXBIDsD0JWrn3pukqga+mWrGUuB6pa+vPA
Date: Tue, 16 Feb 2021 16:43:50 +0000
Message-ID: <LO2P265MB057350E2FE02F3736DE7CF0FC2879@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM>
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie> <ff1e6d9-6e66-dadf-2847-3e071b34618@nohats.ca> <1924199049.18518.1613491058715@appsuite-gw1.open-xchange.com>
In-Reply-To: <1924199049.18518.1613491058715@appsuite-gw1.open-xchange.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: open-xchange.com; dkim=none (message not signed) header.d=none;open-xchange.com; dmarc=none action=none header.from=419.consulting;
x-originating-ip: [86.144.97.93]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 504894f2-9407-4b16-26a0-08d8d29a0a24
x-ms-traffictypediagnostic: LNXP265MB0587:
x-microsoft-antispam-prvs: <LNXP265MB0587955AC9DF1232443A9ABBC2879@LNXP265MB0587.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l+++34qm+PMYzqloY1BGPL6yklpo7+wc7tvNVPLy2FdmX+OtCgW9knOsVakFGpM1uMZ4xhjr1YrG6NLNxktT0FYvc97VrTBCIOcMI5C78KtxgakrmB7lOgkvzu+0UVQ+U7tcEQMCJwakY4ySgVTcF+EWc1J97mbh1ZBNhl20WZ8DyvO6aqqQ6jMYgAAZKQUBLBkNajturxwOZUxSUWhdr+0iOfEGE9EZT/5oyXx+gPIbq04S7O6gWLoBunvMayRDk1m+AziXp49jg1yP61t7CiUhzJfsdsWcu9/MqyQknWRlVxNNHz1cJxDIoF5g7hPN+PkJfuMYAAG+7NwaQuKtV50757wHp/b7cjuh5h4sWBD2SUmmxKjEamBv4TupsXC7WXGsGTyheGYEmkXeGO2a4sOKyQ1yPkeY9jMcHwAvE/fn7g0k5J3vmnK3Pp3aViWLnjHrqpnJm/OvEn9zk5zA+6xRp4FEiqWuPpMqXegiiv7nvepuVeSG5sCz21ISKJFEMqccTzQTRx4vXBgFkM31DLuzjQxX+w5KNeDx5LJHvJIemfeWRtIxjFl/wEn0kygS
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39830400003)(346002)(396003)(376002)(136003)(366004)(316002)(64756008)(9686003)(110136005)(2906002)(26005)(8936002)(6506007)(478600001)(55016002)(33656002)(8676002)(44832011)(5660300002)(53546011)(66946007)(52536014)(66476007)(76116006)(86362001)(66556008)(186003)(4326008)(71200400001)(7696005)(66574015)(83380400001)(66446008)(46492009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tZGY85pFUzFjpGWeecQ5qqpGyVf5uGJSZCPB7xrcByImyaQ1sb0tp6DH2jaPSpRYQkN+p3WJXd8gnQ7ql7TzlfyZ1Ty+qgx3j9Z3F8PebfcBqp1vVXG8Zs7ykgB9zhdaoD1H0pNWKgTDoJ3O0dSR3JLsP9seVCyG6yy25Ex90TFN7GZeoDgXbnuVbC7UfBPJUeOeepTzp52OEuZxPVS69wzIY4ekjRc5XXaD0lXP27YFEezr3PSXCpvX5Y9D37hTQKM93sfE9z2o4lF21lyMhFAPwsUaZ/seskDY2+OxooTwxtH5dkwj3LRG4PJqcfnaOlONe5Wx5N0fKsZunzijdFWz77KSy0xRQXDdm9MlpkHTgNeXcvh+iTpfdlDC4Yp4U0Tg5/cMert1wrhOQ5gy90nlc11m7KfMYkm25KlCJPLS3o/Bxl60IThfwCmxDud6TZqo/yV9xju2VMCuLPq5/kyCosQvBvhU9tSSQnzaZhGb3vddFjy7Wla75yxVNz9Cr+9p/7G4KBJFijA2exQAIPSSTCtZh1Y4sGo72yPnSJ4m5/53s5j9VliEAdTfnT3hRQh043LQ70v7f+IXlaqdrlkJy0G4on6VxHELAOSQvicaURfNkN4tAVXoDCgYHzHGR9jTCZewfb339Syk3CZpVlDcLVI/MGoeGjbKgzD4qBqac6C3AeIj80eWtVOIH3/L0H6xfaBCMeBzQl85tZagNkQXail2zDV0MnoPhgJaZaBuCdM1F8hQuYPjcE25u5Jyk4mJKpusa40pgZf55WVgMRJs/mwDerrXZcH9omoOzp0Nl1MPpG3du61+mkNDBfQZioMmmJpkA/Uj2k/Z+oBmTr7lXmrooKgXwyH6GaPsN1DoMXnNYTRBGsovQJwQV3226MI/7fc/vMDQUXOn7bgwSzacctUWqtNMfTxSr2O1cUuiYn94b7Ex8a1AnvbY0HLhkXu9qBQfY/U+Xq1Jvz4Pfljc4GOjsEtaWeWr4EqT5W6ndpzAlzDE+BXEkMIoHyg2sfWZfU25PFHV+IOYl/ujEHvflS1UjC6yXhRTQuZq+9DJsCy1nTEq3fI2F+uoi+XaGKIiZlpEBo6oXYKDElighNyYPJ6FSJUheEWMUj9Pd0lzkjshOzxZ/ovzRSWRO/eZT5VBIhhrRpBYYPatGPrzbeczYbMkHjZ8EePOUs0GlgDbe39Z6/U3Hht+hofQ1/qaWB0BrbQ+M7upFnQP6b1waYV3ihezNawKzPoHz1hiJysiDvzPLAz9z9+nwy2+QC6Y2nWBRNMZUplFtOuLfnQX/3TrAgO8q9oTuG90yCCf+lw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 504894f2-9407-4b16-26a0-08d8d29a0a24
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2021 16:43:50.9153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JuG8lIF8OFs00sT4DVJwUaPhG8WvSnDEljheo/unMSsiXAY+7kwNL7hvXrRzuxSHx9lejBejVbCM7P9nhDwH4i7COgB7/9REAcduf6JWgBQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP265MB0587
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LGd91tu5vsAi0bH2myD5T2ZU6uI>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 16:43:59 -0000
On 16/02/2021 15:58 Vittorio Bertola <vittorio.bertola@open-xchange.com> wrote: > Thanks for noting this. In general, I think that any solution for the authentication of name servers should not depend on the WebPKI. The DNS is a foundational block of the Internet - if it stops working, all services stop working (except those based on the direct use of IP addresses), not just the Web. The DNS should have as less dependencies as possible, and certainly not depend on the policy and security mechanisms of specific application-layer protocols. > > Also, requiring you to acquire a certificate from a Web CA would be quite a change from the traditional model in which you could just run your own zone without having to ask anyone for permission. It would introduce a gatekeeping role and attribute it to a relatively small set of private parties (again, centralization). The fact that certificates are currently available for free is not a solution, first because there is no guarantee that they always will, and second because this does not alleviate the gatekeeping concerns. +1 to the general points made above about reducing resilience and increasing centralisation - IMHO any developments that increase the current drift towards centralisation should be treated with caution and may well be counter to RFC 8890, ditto those that reduce resilience. Andrew
- [dns-privacy] Authentication in draft-ietf-dprive… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Daniel Migault
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Vittorio Bertola
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Andrew Campling
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] Authentication in draft-ietf-dp… Hollenbeck, Scott
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman