IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Paul Wouters <paul@nohats.ca> Tue, 19 May 2020 15:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC643A0A01 for <dns-privacy@ietfa.amsl.com>; Tue, 19 May 2020 08:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsHtkAOEr8Ud for <dns-privacy@ietfa.amsl.com>; Tue, 19 May 2020 08:46:25 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 138343A0783 for <dns-privacy@ietf.org>; Tue, 19 May 2020 08:46:24 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49RKxB5cQxzDmQ; Tue, 19 May 2020 17:46:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1589903182; bh=pTnq0pyNsaVJfnVbGTBQscOmzX3smSmtgMl6/ItC8Fg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Q+mGRFLvEhgSpITLMNFC9NN12gKkcoLQ/bLZrQwWMqrBxz9RfYCMGaSAhsbg4tkY0 VT80Nm7CNmqvoUJe1jzV6Tjv0hk4q4PdhgmHGkz57pZLblt9o/ECSTT9Dxh+4axyJI Qlt9Z5tr9S67yPdWp7Uj77Vb17iuDxPHWWw7/Yeo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id rUNJn_d0Knyr; Tue, 19 May 2020 17:46:21 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 19 May 2020 17:46:21 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 43F65601EBCA; Tue, 19 May 2020 11:46:20 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 42CFC65E5F; Tue, 19 May 2020 11:46:20 -0400 (EDT)
Date: Tue, 19 May 2020 11:46:20 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
cc: dns-privacy@ietf.org
In-Reply-To: <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com>
Message-ID: <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/gn8qG8uu6YN-RA2Key8oEJn1jps>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2020 15:46:30 -0000

On Tue, 19 May 2020, Peter van Dijk wrote:

> The draft is managed on GitHub in .md format at
> https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin

This is ..... interesting.


We first added the KEY RRTYPE in the 1990's to allow generic public
keys in DNS. Then the DNS (and CA) people got upset at the KEY record
being used for something else than securing DNS. So KEY was obsoleted
for DNSKEY that signified it is for DNSSEC only.

This draft now tries to shoehorn a TLS key into the DNSKEY record.

A much cleaner solution would be to use a proper TLSA record. If you
want to signal securely within DNSSEC that encrypted DNS is available,
use a DNSKEY flag on the existing DNSKEYs to signal that (similar to
the DELEGATION_ONLY flag). You only need 1 bit and TLSA records - which
are port specific - can be used to signify presence of DoT or DoH. Or
if you want to support both on port 443 for middleware circumvention,
you can use _dot and _doh prefixed (eg _443._dot.nohats.ca IN TLSA <blob>

The TLSA records can also be of different types, so you can pin the TLSA
record to a pubkey, certificate or specific CA. This would allow the DoH
or DoT maintainer to change/update their keys witout needing to update
or have access to the DNSSEC signer to update the DNS.

Let's not create "pseudo DNS records".

Paul

> Looking forward to your comments,
> Peter, Manu & Robin
>
> -------- Forwarded Message --------
> From: internet-drafts@ietf.org
> To: Peter van Dijk <peter.van.dijk@powerdns.com>, Emmanuel Bretelle <
> chantra@fb.com>, Robin Geuze <robing@transip.nl>
> Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds-
> dot-signal-and-pin-00.txt
> Date: Tue, 19 May 2020 02:18:23 -0700
>
> A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt
> has been successfully submitted by Peter van Dijk and posted to the
> IETF repository.
>
> Name:		draft-vandijk-dprive-ds-dot-signal-and-pin
> Revision:	00
> Title:		Signalling Authoritative DoT support in DS records, with key pinning
> Document date:	2020-05-19
> Group:		Individual Submission
> Pages:		10
> URL:            https://www.ietf.org/internet-drafts/draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/
> Htmlized:       https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-vandijk-dprive-ds-dot-signal-and-pin
>
>
> Abstract:
>   This document specifies a way to signal the usage of DoT, and the
>   pinned keys for that DoT usage, in authoritative servers.  This
>   signal lives on the parent side of delegations, in DS records.  To
>   ensure easy deployment, the signal is defined in terms of (C)DNSKEY.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email