IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Authentication in draft-ietf-dprive-opportunistic-adotq

Eric Rescorla <ekr@rtfm.com> Mon, 15 February 2021 23:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1343A12B8 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:07:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AohouHOqq5ff for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:07:43 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577523A12B7 for <dprive@ietf.org>; Mon, 15 Feb 2021 15:07:43 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id f1so13071487lfu.3 for <dprive@ietf.org>; Mon, 15 Feb 2021 15:07:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sdytV9qZ7hTCtFLthUf8VJ+8Dkevr7GKi/DxOd6YZUY=; b=uqwZwf6V2MxOaccxTmN7EmsCxeMFXQwq28fRFBibeLXDEY/byRbrHk7PP9HJG30foK G/gS5WrAkL2QFf0Wq6LXK1bTPPX5GCVNA5Xf0SPMXO67vJioGfhOpo0RN752UECc5Bld cSqkXmnKh38XguI9JB6A70Oxa238qfqE+ZV+UdVw1Imx+tQAuLPDuYeTBaOb5FU9wHoE 1wsGCviL50vdsbKYXkukOUomXCgKMNKG2jo2EYbaF3zWDgEOqawRmfX+LcNTxguIrSSM S+1XXTaH15w+lZN4dbrCSqbwBq5Mk+YsuMLFj6tkEulc/QftiddHg/aer13Lm0np1kJt 4QPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sdytV9qZ7hTCtFLthUf8VJ+8Dkevr7GKi/DxOd6YZUY=; b=N4TKvOKi8VASO7SoN0AIxeA/6frdsXJpfLCl3b9sYJAVbtOa6e9QKwn03Qt0OsnV0K fmCf418yxfIIeOpbzrx0THdzI15Lqwu5gCtEFyA9BcvCHWd6AxCgBG4gZh3H+znzRzdZ 72nwAsztj2CPoF3dHt257v2PMdbUYIOLg5+AlJtJ/ezM2b47M83wwQJyowFiPTPSH35n nRpHkINYwzuzcU+mCa6/GH+O5g5fRMWaiW3i+dZy0kDu73oJFE/buBYipx4OAga+MhmI QX+vSnO2p8zhOY/18906YijeXKB0wEGpaT/7QoIjtkBMwIkpLVC8h7V3T2U3HpqFOUf3 IB6A==
X-Gm-Message-State: AOAM532PBiDW+OqFGCfiFKd3Vnd8yylDozoDzltsGr2mUaMPOQpn2xH/ yDTeYCRGgmIeA7M591xFgC9QQrTa8IVBfoTgSmuyF18rpbk6nA==
X-Google-Smtp-Source: ABdhPJz3UtBjOs+VJJAMBK2MOktdirs70JDo5j6LI4jrbfx054PcjOLPIqVI+kU+2yEUGPiM33tpOSjt7ihh4HkIn5k=
X-Received: by 2002:ac2:518c:: with SMTP id u12mr10252766lfi.355.1613430461609; Mon, 15 Feb 2021 15:07:41 -0800 (PST)
MIME-Version: 1.0
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <8C353BC1-09A0-4D5C-B018-9F71CF96C9E8@icann.org>
In-Reply-To: <8C353BC1-09A0-4D5C-B018-9F71CF96C9E8@icann.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 15 Feb 2021 15:07:05 -0800
Message-ID: <CABcZeBPHgSrk3Xp47XVBP=u9Bdd_=6q_x=Vm_LcHg=DJKtS6Nw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088c44105bb680d70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jKt-gnb0C2wr0_JgUhhJ1f8R27A>
Subject: Re: [dns-privacy] [Ext] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 23:07:45 -0000

On Mon, Feb 15, 2021 at 2:59 PM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Feb 15, 2021, at 2:49 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> > The reason we have WGs is to work out such matters in detail, no? And in
> particular, I think the WG should try to figure out the problem space
> before designing.
>
> Yes, please.
>
> > However, it seems like there's a relatively obvious strawman proposal
> here:
> >
> > - We invent some mechanism that allows you to specify in an NS record
> that the server takes TLS (as a hacky example, "servers have to be named
> <some-sentinel>.example.com").
> > - Servers are authenticated via the WebPKI, with the name as listed
> above.
>
> That addresses just one part of the problem space, the authentication of
> the authoritative server. Another part, which people have brought up a few
> times, is discovery (which is part of the first of those proposals, but not
> the second).


Yes, I agree there are two problems. This is one proposal in two pieces,
one for each problem.


Yet another is how a client of the resolver would determine if a lookup
> error means "the name doesn't exist" or "the name exists but the resolver
> was not able to get an authenticated answer".
>

I agree this has to be solved somehow, but I'm not really following why
it's that complicated. I'm not any kind of DNS expert, but I assume we can
invent a suitable error (SERVFAIL + extended error perhaps?).


> I'm sure there are plenty of things that people won't like about this
> (e.g., I imagine that some people would like to use DNSSEC), and the signal
> I just invented is gross. Maybe in the process of deciding what people
> don't like about this, we can understand the problem space better.
>
> The biggest one: which group of Internet users would want to use a
> resolver that will refuse to give useful answers if the answers aren't
> authenticated? Without understanding those users (as compared to a few
> people who would want to set up such a resolver), we can't evaluate such a
> design.
>

I'm not sure I follow. There are two situations here:

1. The server ostensibly offers DoX but I couldn't connect.
2. The server doesn't offer DoX at all.

In case (2) I would expect the resolver to proceed as normal. I.e., you
would get an answer. In case (1) I would expect it to return an error (see
above). I'm not aware of any particular reason to expect that users would
find these behaviors objectionable. After all, we already had a transition
in which the recursives decided to DNSSEC enforcement and that seems to
have gone reasonably OK.

-Ekr

v2.23.0 | Report a Bug | By Email