Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritativen
Paul Wouters <paul@nohats.ca> Wed, 12 August 2020 01:50 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA803A0E61 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ay8MjkRpJY40 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:50:01 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5643A0E5A for <dprive@ietf.org>; Tue, 11 Aug 2020 18:50:01 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BRCLw1hCGzrn for <dprive@ietf.org>; Wed, 12 Aug 2020 03:50:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1597197000; bh=yvHjHFexax9wC/MCA8+mrg2zfeeHzUxXeEIWhsg8KsY=; h=Date:From:To:Subject:In-Reply-To:References; b=BJ7sfWiY9vymfoRwZUgayQL+Mwj0xO2RgahBi4ydcU/qlcJZXlGwZutM7ylOtpxHp 3rJeXFiaXv5O0OoeKsAX6Lt4oLbV5zzFekaZu7j/UEGwvPDTb0rkVtcJtB8xGWVBNm cnGH/EeRSGTiZxDnXjCBUpIRb/ne0r7MH/oAVPjs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RhPQ20KEIqKt for <dprive@ietf.org>; Wed, 12 Aug 2020 03:49:59 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dprive@ietf.org>; Wed, 12 Aug 2020 03:49:59 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 08E046029BA5; Tue, 11 Aug 2020 21:49:58 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 07B79669F1 for <dprive@ietf.org>; Tue, 11 Aug 2020 21:49:58 -0400 (EDT)
Date: Tue, 11 Aug 2020 21:49:57 -0400
From: Paul Wouters <paul@nohats.ca>
To: dprive@ietf.org
In-Reply-To: <94c6f6d2bcd2c4c2bd2d08ed6cf9cd271059ec1b.camel@powerdns.com>
Message-ID: <alpine.LRH.2.23.451.2008112144100.99493@bofh.nohats.ca>
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org> <CAHbrMsAEUFT7GOTm5Dbq9PCMEA+4maJQ32t_R-SbYVyztqVBDA@mail.gmail.com> <alpine.LRH.2.23.451.2008062244030.618007@bofh.nohats.ca> <94c6f6d2bcd2c4c2bd2d08ed6cf9cd271059ec1b.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/etJRouEfAX2y_budGQn5xsz8AVg>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritativen
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 01:50:04 -0000
On Mon, 10 Aug 2020, Peter van Dijk wrote: > On Thu, 2020-08-06 at 23:04 -0400, Paul Wouters wrote: >> >> In the case of encrypted DNS to authoritative servers, those servers >> obviously can have an cryptographic ID based on FQDN. > > This is not obvious. It would be great if it was; but it isn't. Sorry, I did not realise it was not obvious to everyone, so let me clarify: _853._dot.ns0.nohats.ca. IN TLSA <blob> _443._doh.ns0.nohats.ca. IN TLSA <blob> This uses the unique FQDN of each nameserver's name. You can have multiple TLSA records if you use different keys on some of your nameservers (eg some outsourced to an ANYcloud provider) Note that this scales with the nameserver. For example by publishing the above, the libreswan.org domain would also have dot/doh published as it is using the same nameservers. I would not understand why one would insert another PKI system to identify nameservers as. It would just add dependencies and different protocols to the solution. Paul
- [dns-privacy] Possible use case: Opportunistic en… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Ben Schwartz
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… John R. Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Tim Wicinski
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Manu Bretelle
- Re: [dns-privacy] Possible use case: Opportunisti… John Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Ask Bjørn Hansen
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Ebersman
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] [Ext] Possible use case: Opport… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Tony Finch
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- [dns-privacy] TLSA for secure resolver-auth trans… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Vladimír Čunát
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Ilari Liusvaara
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] [Ext] TLSA for secure resolver-… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Vladimír Čunát
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Viktor Dukhovni
- Re: [dns-privacy] TLSA for secure resolver-auth t… Peter van Dijk