Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)

Paul Hoffman <paul.hoffman@icann.org> Wed, 20 September 2023 21:41 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6BAC14CF1A; Wed, 20 Sep 2023 14:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxatRGBOIhZX; Wed, 20 Sep 2023 14:41:11 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44263C151069; Wed, 20 Sep 2023 14:41:11 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.17.1.24/8.17.1.22) with ESMTPS id 38KLf40m014669 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Sep 2023 21:41:04 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.37; Wed, 20 Sep 2023 14:41:00 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.037; Wed, 20 Sep 2023 14:41:00 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Paul Wouters <paul@nohats.ca>
CC: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-dprive-unilateral-probing@ietf.org" <draft-ietf-dprive-unilateral-probing@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "brian@innovationslab.net" <brian@innovationslab.net>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
Thread-Index: AQHZ6zlkPtS+X/EESU+/MgWXnItugrAjSZaAgAFpJwCAAAJzAA==
Date: Wed, 20 Sep 2023 21:41:00 +0000
Message-ID: <DAB97721-531B-4373-A2E8-869066EC2107@icann.org>
References: <169515596369.29731.2162345695284193885@ietfa.amsl.com> <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org> <6f68e771-fd77-3019-6f8b-ea477acb7b78@nohats.ca>
In-Reply-To: <6f68e771-fd77-3019-6f8b-ea477acb7b78@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <758D0D027D374C49B9E2C92ABAF36206@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-20_11,2023-09-20_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/e8wfPGO5DfRWAY2CrYxG-CB5ki4>
Subject: Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 21:41:15 -0000


> On Sep 20, 2023, at 2:32 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Tue, 19 Sep 2023, Paul Hoffman wrote:
> 
>> We don't know. It was pointed out in the WG discussion that some PKIX libraries do different types of verification regardless of what you want them to do.
> 
>> Yes, exactly. Even if you can't stop your library from verifying, you must be able to ignore the verification failures.
> 
> That might not be the case. As with "null encryption", these modes are
> more and more being removed from code bases to avoid exploits.

At that point, you couldn't use the library any more, correct?

> I also do find the value of using selfsigned certs over ACME certs
> on the auth server pretty low. It's pretty easy to give a nameserver
> with a static name an automatic ACME based certificate. With the
> "opportunistic" part being that if the cert fails, to go back to do53.

Is there widespread availability for "ACME certs" for authoritative DNS name servers that have no web server component reasonably available now? When I looked a few years ago, they weren't at all.

--Paul Hoffman