Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)

Peter Thomassen <peter@desec.io> Wed, 20 September 2023 21:45 UTC

Return-Path: <peter@desec.io>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC01C14CE2B; Wed, 20 Sep 2023 14:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGM_3fyyKzsT; Wed, 20 Sep 2023 14:45:20 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DBA6C14CF1D; Wed, 20 Sep 2023 14:45:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PeB9C5dUeNEwx608+T+gxufCAOgPp8qS2uXuV/zuLaI=; b=HofGrFoacGK7MAuImo+v0xC2mb wsN9C1iIM5EgW5m4p2npzrGURMJBpoentrYejAZoRvPl7LBNu7N1wWH6crEtM5i9CwzDDWUA/CJMz cSDK+qOwDkTKNXGAjrYgE0HC9nHbYWSFBrAgIaytD8Ph6Kha1jEloxYWtbgggW18nnjIvHlVx5kPJ 2Y1zHz9Gc1/3syF9TSstPohORAwbZR31VQjew8sPwSyHbnPn5EQhW7or06A0vR4RXwRNmBK925+an oVma989wjphoSrjpqNplE1f2uL9LrVsOOzVPYCqI5Yn2u4VOr/liA8xxOtfTf/ZDDz+G5tsIjh8Hq ImThISAA==;
Received: from rrcs-98-153-27-101.west.biz.rr.com ([98.153.27.101] helo=[192.168.24.192]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1qj50D-00GDB5-P1; Wed, 20 Sep 2023 23:44:58 +0200
Message-ID: <64486814-7dc2-2129-1257-2943551500b7@desec.io>
Date: Wed, 20 Sep 2023 14:44:53 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: Paul Hoffman <paul.hoffman@icann.org>, Paul Wouters <paul@nohats.ca>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-dprive-unilateral-probing@ietf.org" <draft-ietf-dprive-unilateral-probing@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "brian@innovationslab.net" <brian@innovationslab.net>, Tim Wicinski <tjw.ietf@gmail.com>
References: <169515596369.29731.2162345695284193885@ietfa.amsl.com> <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org> <6f68e771-fd77-3019-6f8b-ea477acb7b78@nohats.ca> <DAB97721-531B-4373-A2E8-869066EC2107@icann.org>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <DAB97721-531B-4373-A2E8-869066EC2107@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/j4rYwpLPaad8kXP66LU9l6blqis>
Subject: Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 21:45:26 -0000

Paul,

On 9/20/23 14:41, Paul Hoffman wrote:
>> I also do find the value of using selfsigned certs over ACME certs
>> on the auth server pretty low. It's pretty easy to give a nameserver
>> with a static name an automatic ACME based certificate. With the
>> "opportunistic" part being that if the cert fails, to go back to do53.
> 
> Is there widespread availability for "ACME certs" for authoritative DNS name servers that have no web server component reasonably available now? When I looked a few years ago, they weren't at all.
Yes, via the DNS challenge, which shouldn't really be a challenge for an auth: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

Peter

-- 
https://desec.io/