Re: [dns-privacy] how can we ADoT?
Tony Finch <dot@dotat.at> Wed, 11 November 2020 20:25 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA3FB3A108B for <dns-privacy@ietfa.amsl.com>; Wed, 11 Nov 2020 12:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXrXIb0pzY0Y for <dns-privacy@ietfa.amsl.com>; Wed, 11 Nov 2020 12:25:52 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3CE3A1083 for <dns-privacy@ietf.org>; Wed, 11 Nov 2020 12:25:51 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:32928) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kcwgf-000cOw-Lr (Exim 4.92.3) (return-path <dot@dotat.at>); Wed, 11 Nov 2020 20:25:49 +0000
Date: Wed, 11 Nov 2020 20:25:49 +0000
From: Tony Finch <dot@dotat.at>
To: Eric Rescorla <ekr@rtfm.com>
cc: DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CABcZeBOv6Ne71ydHb4S9m--5Yqhthe1uMWa=vxA9efvJd7uUbg@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2011112014210.17264@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk> <CABcZeBOv6Ne71ydHb4S9m--5Yqhthe1uMWa=vxA9efvJd7uUbg@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/gxUfpIQ0yxzl8aEuVtrq1V9t7rk>
Subject: Re: [dns-privacy] how can we ADoT?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 20:25:55 -0000
Eric Rescorla <ekr@rtfm.com> wrote: > On Wed, Nov 11, 2020 at 11:07 AM Tony Finch <dot@dotat.at> wrote: > > > 2. Signal in an EDNS [@?RFC6891] or DSO [@?RFC8490] option: the > > resolver starts by connecting in the clear, and upgrades to an > > encrypted connection if the authoritative server supports it. > > > > This is vulnerable to downgrade attacks. The initial cleartext > > connection adds latency, and would need to be specified carefully > > to avoid privacy leaks. > > It's worth noting that one could add an HSTS-like mechanism here. Given > that a lot of requests are probably return customers, this would likely > result in quite a lot of lift. Good point, thanks! I haven't thought about this option enough. One thing that will make it more tricky is nameserver aliases: it's relatively common for NS records to refer to servers by names that the server operator does not know. So I expect that an in-band upgrade to TLS will have to use IP-address-based authentication, if any. A nice thing about TLSA records is they also tell the client what name to look for in the server's cert. (I need to make that more explicit in my notes.) Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Trafalgar: In southeast, easterly 4 to 6. In northwest, southwesterly 5 to 7, becoming cyclonic 4 or 5 later. In southeast, moderate. in northwest, moderate becoming rough. In southeast, fair. In northwest, showers. Good.
- [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Eric Rescorla
- Re: [dns-privacy] how can we ADoT? Hollenbeck, Scott
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Manu Bretelle
- Re: [dns-privacy] how can we ADoT? Brian Dickson
- Re: [dns-privacy] how can we ADoT? Stephen Farrell
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk