IETF Logo Mail Archive

Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritativen

Paul Wouters <paul@nohats.ca> Wed, 12 August 2020 01:50 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA803A0E61 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ay8MjkRpJY40 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:50:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5643A0E5A for <dprive@ietf.org>; Tue, 11 Aug 2020 18:50:01 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BRCLw1hCGzrn for <dprive@ietf.org>; Wed, 12 Aug 2020 03:50:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1597197000; bh=yvHjHFexax9wC/MCA8+mrg2zfeeHzUxXeEIWhsg8KsY=; h=Date:From:To:Subject:In-Reply-To:References; b=BJ7sfWiY9vymfoRwZUgayQL+Mwj0xO2RgahBi4ydcU/qlcJZXlGwZutM7ylOtpxHp 3rJeXFiaXv5O0OoeKsAX6Lt4oLbV5zzFekaZu7j/UEGwvPDTb0rkVtcJtB8xGWVBNm cnGH/EeRSGTiZxDnXjCBUpIRb/ne0r7MH/oAVPjs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RhPQ20KEIqKt for <dprive@ietf.org>; Wed, 12 Aug 2020 03:49:59 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dprive@ietf.org>; Wed, 12 Aug 2020 03:49:59 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 08E046029BA5; Tue, 11 Aug 2020 21:49:58 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 07B79669F1 for <dprive@ietf.org>; Tue, 11 Aug 2020 21:49:58 -0400 (EDT)
Date: Tue, 11 Aug 2020 21:49:57 -0400
From: Paul Wouters <paul@nohats.ca>
To: dprive@ietf.org
In-Reply-To: <94c6f6d2bcd2c4c2bd2d08ed6cf9cd271059ec1b.camel@powerdns.com>
Message-ID: <alpine.LRH.2.23.451.2008112144100.99493@bofh.nohats.ca>
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org> <CAHbrMsAEUFT7GOTm5Dbq9PCMEA+4maJQ32t_R-SbYVyztqVBDA@mail.gmail.com> <alpine.LRH.2.23.451.2008062244030.618007@bofh.nohats.ca> <94c6f6d2bcd2c4c2bd2d08ed6cf9cd271059ec1b.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/etJRouEfAX2y_budGQn5xsz8AVg>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritativen
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 01:50:04 -0000

On Mon, 10 Aug 2020, Peter van Dijk wrote:

> On Thu, 2020-08-06 at 23:04 -0400, Paul Wouters wrote:
>>
>> In the case of encrypted DNS to authoritative servers, those servers
>> obviously can have an cryptographic ID based on FQDN.
>
> This is not obvious. It would be great if it was; but it isn't.

Sorry, I did not realise it was not obvious to everyone, so let me
clarify:

_853._dot.ns0.nohats.ca. IN TLSA <blob>
_443._doh.ns0.nohats.ca. IN TLSA <blob>

This uses the unique FQDN of each nameserver's name. You can have
multiple TLSA records if you use different keys on some of your
nameservers (eg some outsourced to an ANYcloud provider)

Note that this scales with the nameserver. For example by publishing the
above, the libreswan.org domain would also have dot/doh published as it
is using the same nameservers.

I would not understand why one would insert another PKI system to
identify nameservers as. It would just add dependencies and different
protocols to the solution.

Paul

v2.23.0 | Report a Bug | By Email