IETF Logo Mail Archive

Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Rob Sayre <sayrer@gmail.com> Fri, 07 February 2020 04:07 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B8A9120132; Thu, 6 Feb 2020 20:07:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88KCIh4un0NB; Thu, 6 Feb 2020 20:07:17 -0800 (PST)
Received: from mail-il1-x142.google.com (mail-il1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E92B12011A; Thu, 6 Feb 2020 20:07:17 -0800 (PST)
Received: by mail-il1-x142.google.com with SMTP id f10so554173ils.8; Thu, 06 Feb 2020 20:07:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JSAln3mhDGYg3O8JgLKXrRNX8+4eX+aa8pDjXb3jYjs=; b=Xt8y4oJ4MjY0JtwtXMaWGG3vwlQecY1PwqHmfEfr3GyYaBx7DOmRl0CElx3/4wZpF6 8k1zy1RnaOWiJEXbbSuVxZcJ/i4bQmPtW73eAWBHrBaBrnDVKGRfYjsRDgaA6BgKQ2eo rUClCXPMk+ueGPsaF9kUOd1WyVNGE47fZOO+7kBeUqoGfoxEWO2SLkKvr/lJagU8Eje6 83nMGwWNOFpdxxnzU/Pe3Jtgk0qYMVe83w1IIbSB8ipxEKABZQeIUkAyqGZeOOr/4xkT 6ZnrfFnATBQd4Rz7/TvdlNU9YBH1qOjlQuI0w4UZxNEc15Gb1cVyh7nz7QX8UpKNYUC0 Tz8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JSAln3mhDGYg3O8JgLKXrRNX8+4eX+aa8pDjXb3jYjs=; b=F/tC7UgnCLxdWrRDkobu1z98EloDqPcPBIxku8CGe+Dm085IFt1M+hAYUrFzX1D+J8 raLYIJFHKT/tqzxdPzOWKqL0T2iGtwOHbYqDoXzHkjhWY8lplL9bP28SQ50ofsQ8ajdh 6TjfOEI2TJaE5EBkKlznYPvsaI3tnWh6ijzHPbTGQelsp/rTbtia+1Tvpzvtsxwi7gi1 pQ3wiZrGyU66XfSnlLbMXHkjwxsAl50h7vL64UzSE3PZfDjUiAuJ4suT4jefDj3Pg4Gl ecRUswjyhz+cPGAo6qAnwEGuu8enoELKIgcOsbAKr45QhDTFDH8d1aY6nEPYoeQqDkjc xXxg==
X-Gm-Message-State: APjAAAUvCTvCg19c1fgdWETkXzlkUZ/0T8Z58hTQ1XvFl4xT7pivs+My WBXR2wWG+e7YMe8E6WCT12qhZr8yiLqk5JTzl/rddjE53Uk=
X-Google-Smtp-Source: APXvYqy/goQGqdmeP+nn4K4/YdlztaHXBjyPSl38PaiCVV7H5XVpfMZWN3svYbEjDxp/gC6XLRomsospo//K1wgyOGM=
X-Received: by 2002:a92:9c1c:: with SMTP id h28mr7120326ili.189.1581048436269; Thu, 06 Feb 2020 20:07:16 -0800 (PST)
MIME-Version: 1.0
References: <CAH1iCiqLwP8UOJe_vWQAr7iu8j7LF2Y4+386XNimM+3wJ-2RzQ@mail.gmail.com> <9fe99917-347b-ab79-7a9c-3e8da67a5246@nostrum.com> <364cf548-9114-fcb3-52b6-a73be08b55c4@nostrum.com> <CAH1iCirzvzQUAcbctzC4Bete_mDicT7MYJL5vnaSFZnVNAUbPg@mail.gmail.com> <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com> <CABcZeBMF2CT--gdKNuVWw+e8CvLYjL3yX0YtMj54CQBvdZ0o0A@mail.gmail.com> <CAH1iCirLPsLX-OebLxKTfR4FDXaejcNy+TONw5FuLP2_r6GBOw@mail.gmail.com> <CABcZeBPkLaFB5fv6WigJmY9QhOJnJf3YwrmooN0BRbm8fKxLog@mail.gmail.com> <CAH1iCiq555QF=we5moHBStmCRsJ_kZ=hzYacJ=GYSKvcqEBcvA@mail.gmail.com> <CABcZeBM+L_Qco3VkybhJp5_ijNiJd58yprCnHY2Yn4ODX-1UDA@mail.gmail.com> <20200207011411.GJ14382@kduck.mit.edu>
In-Reply-To: <20200207011411.GJ14382@kduck.mit.edu>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 06 Feb 2020 20:07:02 -0800
Message-ID: <CAChr6SxY9Lp4f67VHBhDZE_G6fXeU7E1s5OMmVeFBKyEDZGiDg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Eric Rescorla <ekr@rtfm.com>, Tim Wicinski <tjw.ietf@gmail.com>, Adam Roach <adam@nostrum.com>, Brian Dickson <brian.peter.dickson@gmail.com>, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org, draft-ietf-dprive-bcp-op@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006aa6f2059df48656"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/f6GXLULI26LbM-JGT8PPFzCaGAQ>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 04:07:18 -0000

On Thu, Feb 6, 2020 at 5:14 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

>
> TLS also punts the key-management story to be out of scope.
> We have a lot of worked examples of the Web PKI failing (and also have lots
> of people working really hard to get it to improve, which I greatly
> appreciate), but given that the recursive has no way of knowing what the
> DNS client is planning to do (and that some ~20% of web traffic does not
> use TLS), it's hard for me to argue that this document is making the wrong
> recommendation about DNSSEC validation.
>

Maybe it would be more diplomatic for the document to state that additional
validation might help. DNSSEC is one existing mechanism, but other options
like PSKs of various types (e.g. PAKE) exist.

thanks,
Rob

v2.23.0 | Report a Bug | By Email