IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Intermediate proposal (what I was saying at the mic)

"libor.peltan" <libor.peltan@nic.cz> Wed, 04 August 2021 07:56 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0133A0B8D for <dns-privacy@ietfa.amsl.com>; Wed, 4 Aug 2021 00:56:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.4
X-Spam-Level:
X-Spam-Status: No, score=-0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTD1zmHx-dCC for <dns-privacy@ietfa.amsl.com>; Wed, 4 Aug 2021 00:56:19 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C5503A0B8C for <dns-privacy@ietf.org>; Wed, 4 Aug 2021 00:56:18 -0700 (PDT)
Received: from [192.168.1.106] (unknown [193.138.153.8]) by mail.nic.cz (Postfix) with ESMTPSA id A6A7814225B for <dns-privacy@ietf.org>; Wed, 4 Aug 2021 09:56:14 +0200 (CEST)
To: dns-privacy@ietf.org
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com> <CABcZeBM+rBLgUs+xzyhTOjCFuPdjUDPDMeFL6CAXanDaicC+Pg@mail.gmail.com> <CAHbrMsA3ROoeeDXm_HpXP73uFjVrEQUycQ0OR0e6JE0hCoS1sw@mail.gmail.com> <5EEBC284-71B3-4308-B5C6-AF3847A6ED36@icann.org> <CAHbrMsCN9N=sV2xtc5b9QFeSSCsr65wXEEZ+d6DSTNbRxRt8GQ@mail.gmail.com> <66A4FCE3-A07A-4177-A596-17B660FB3535@icann.org> <CAHbrMsBT5VDYSKL9Pn8iq3uCMVAn6qc+Hd8PYfxUR2nxs5tp9w@mail.gmail.com>
From: "libor.peltan" <libor.peltan@nic.cz>
Message-ID: <73791df6-098b-ecf0-e776-58a160cd936f@nic.cz>
Date: Wed, 04 Aug 2021 09:56:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsBT5VDYSKL9Pn8iq3uCMVAn6qc+Hd8PYfxUR2nxs5tp9w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------96D2A0C856E393382B4DD2AE"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/iTDFeJQXTXc7V2CwMWjLl5zo5Kg>
Subject: Re: [dns-privacy] [Ext] Intermediate proposal (what I was saying at the mic)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 07:56:24 -0000

I think that if we decide to employ DS the new way to signal the desired 
transport protocol, the CDS->DS mechanism might still be used to 
"upload" those DSs to the parent (however, it's not allowed by current 
RFCs, since CDNSKEY is required whenever CDS exists). (I don't conclude 
if this has any effect of usefulness of SVCB at the child apex or just 
permanent CDS there.)

Libor

Dne 03. 08. 21 v 23:30 Ben Schwartz napsal(a):
>
>
> On Tue, Aug 3, 2021 at 5:20 PM Paul Hoffman <paul.hoffman@icann.org 
> <mailto:paul.hoffman@icann.org>> wrote:
>
>     On Aug 3, 2021, at 2:06 PM, Ben Schwartz <bemasc@google.com
>     <mailto:bemasc@google.com>> wrote:
>     >
>     > On Tue, Aug 3, 2021 at 4:55 PM Paul Hoffman
>     <paul.hoffman@icann.org <mailto:paul.hoffman@icann.org>> wrote:
>     >> If the WG is going to go to DS in the parent to have a signed
>     signaling response, it would make sense that the signal in the
>     child have an identical format. If we go with that, I'd rather see
>     CDS be used in the child instead of SVCB.
>     >>
>     > I disagree.  CDS is explicitly a signal from the Child to the
>     Parent.
>
>     Yes, exactly. This is the best way to get those DS records in the
>     parent.
>
>
> Quite possibly, yes, but far from the only way.  In fact, CDS record 
> support is not widely deployed at present.
>
>     > It's literally in the name of the RR type.  I would not want all
>     the resolvers in the world to be reading CDS records as part of
>     the iterative resolution process.
>
>     Why is "all the resolvers in the world to be reading" an SVCB
>     record better?
>
>
> In the parent, our RR type choices are constrained by a slow-moving 
> ecosystem, so we may have to reuse the DS RR type in some fashion.  In 
> the child, we don't have this problem, so we can use proper RR types 
> with purpose-designed semantics, zone file representation, and wire 
> format.
>
> I'll put together a more detailed proposal and then we can argue about 
> this some more.
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email