Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?

"John R Levine" <johnl@taugh.com> Fri, 01 November 2019 21:54 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6E312024E for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 14:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=GPChu216; dkim=pass (1536-bit key) header.d=taugh.com header.b=NwQpN6Fk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDLdkp0tOVc5 for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 14:54:39 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F301120801 for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 14:54:38 -0700 (PDT)
Received: (qmail 6540 invoked from network); 1 Nov 2019 21:54:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=198a.5dbca99d.k1911; i=johnl-iecc.com@submit.iecc.com; bh=jI36p/OZqYASKLqTn2pgiOvkrFO8pEKJvNXuGhsHQFU=; b=GPChu2162bRuMvif9IXU9c8UzO4GYceE0oDiMPuvWfTR9sHQDsdWhEkN5mQeKh8/0DUVEQyG/UPpelURR7ULswgM/Wj6tkG6jkD/FCcQ2FRqqur10zIjEUcvz1f+k+7Lx/xts/sVE7QmPLX/84fVyB+nR4KcZyE0yCVArmdRwAvJrP/4p4u87v8u1RHUj+Ox4tlPqtmpbUfcyBDdJ8zgYvJMyvthsm+1y0hdGgEjEFGZ70Wen2RvUwWKC8Jc3BUb
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=198a.5dbca99d.k1911; olt=johnl-iecc.com@submit.iecc.com; bh=jI36p/OZqYASKLqTn2pgiOvkrFO8pEKJvNXuGhsHQFU=; b=NwQpN6Fk+tgjVPufegkfgDg7yhJSm8AuOBPSjRBzBxofknR1nzaFq2wnoenasdVk1a5WDX0oWZehtl5yCaeaazFx2m+3d12fArYcUAnwlIQGvpQMZ/j2Wxd0pOBNOf2R/XC2r2F6r3YxGN1wfDB4szn6KvngBdOsbLQFtbVvXIylP6D7wpzsrQcP67SdAyl2uK2iZsjGPWjnhNSsP8pIyQKWjL0d2ORHa9uqtwu89fnRHfiRF85XSVwvbM2BvzMe
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 01 Nov 2019 21:54:36 -0000
Date: Fri, 01 Nov 2019 17:54:36 -0400
Message-ID: <alpine.OSX.2.21.99999.374.1911011210210.56439@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: dns-privacy@ietf.org
In-Reply-To: <CAH1iCipnKn1yUKX0M1S1dxD8EVetGDF=0Gfo1hp2MgKwhvsqbQ@mail.gmail.com>
References: <CAHbrMsDwDoTQN8Y5Zk7rSVepjwwyatEyAA6f0oJ9DESmAfHfXg@mail.gmail.com> <20191031211222.A6422DBC1C7@ary.qy> <CAH1iCiqYoXMZ0U3yt8AjUXyZVRdDnmHzSpHvYmg++ACZ-U6=zA@mail.gmail.com> <CABcZeBP-k23ZY=f6Lv5A+B+Z_4ar_9ea=G7O+KRriXNLUzKGqw@mail.gmail.com> <CAH1iCiq_HtErNkeq4hWQJnsDJPn1Zxv0uCLX+HK3QcsSzdxRww@mail.gmail.com> <CABcZeBOPWrqCcYWx+ei-O+QC_npfVhj1fG_kVFGFXhWkjyu28g@mail.gmail.com> <CAH1iCipnKn1yUKX0M1S1dxD8EVetGDF=0Gfo1hp2MgKwhvsqbQ@mail.gmail.com>
User-Agent: Alpine 2.21.99999 (OSX 374 2019-10-27)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hwNwFtHp1bx7pt8FsJIW5nQ3Ujs>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 21:54:41 -0000

> Unfortunately (and I agree that this is unfortunate) the design for DNSSEC
> does not protect the NS record in the parent with a signature.

The real issue here is that the DNS was designed with the assumption that 
you don't care where you get your records from.  The NS delegation is a 
hint, but it's just a hint, e.g., the set of NS in the child zone needn't 
match the parent.  DNSSEC reinforces that by validating the records 
indepedent of the path.

If we now think that validating the path is a key security feature, I 
wouldn't disagree but we should acknowledge how big a change that is to 
the DNS model.  The changes are not trivial and are likely to be painful.

Regards,
John

PS: there's always dnscurve