IETF Logo Mail Archive

Re: [dns-privacy] [Ext] DS Hacks

Paul Hoffman <paul.hoffman@icann.org> Fri, 30 July 2021 17:34 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD33E3A05A0; Fri, 30 Jul 2021 10:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRz_GjqA4aJx; Fri, 30 Jul 2021 10:34:48 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 768993A0596; Fri, 30 Jul 2021 10:34:48 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 16UHYks6017013 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Jul 2021 17:34:47 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.12; Fri, 30 Jul 2021 10:34:46 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0858.012; Fri, 30 Jul 2021 10:34:46 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
CC: DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [Ext] [dns-privacy] DS Hacks
Thread-Index: AQHXhWkwCLGu8rCRykuYxGDQfyFKeA==
Date: Fri, 30 Jul 2021 17:34:45 +0000
Message-ID: <E0430A84-D844-4B79-B71F-A92A21942329@icann.org>
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com> <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org> <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com>
In-Reply-To: <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_A5923DD7-1261-42C0-9217-ACF1ED8E99D2"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ewHfDdC_jKJVLjBv28bi56i5Fyc>
Subject: Re: [dns-privacy] [Ext] DS Hacks
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 17:34:51 -0000

I'm confused here. Are you saying that the DS owner name for an out-of-bailiwick NS would still be the name of that NS? If so, then it seems that you are asking the authoritative to sign a DS record for which it is not authoritative.

A different design that does not require signing records for which you are not authoritative would be to have the DS owner be that of the zone in question, with the DNSName in your structure being as Shane suggested.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email