Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
Ben Schwartz <bemasc@google.com> Mon, 10 August 2020 14:08 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2B83A0BD0 for <dns-privacy@ietfa.amsl.com>; Mon, 10 Aug 2020 07:08:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZodANoVfjxp3 for <dns-privacy@ietfa.amsl.com>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E5A23A159A for <dns-privacy@ietf.org>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 3so8509540wmi.1 for <dns-privacy@ietf.org>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0WhEklrmKPUAKXrd0TVc9Lmd41v2ykfvRRNUzLGB6f8=; b=XLA8woxYuAw60H62gpMf+vgXkO+/ZKdVwF7dtemO2NfpyFFsgJ1CxIURX4H4nA2r12 6EZGeaeMkPUFwNb1HaDuaJFHwY5E4Rvcq6VAut54t8dmKlbFY+mOiE3dYT9sh1i//7SI k4IT5RDLPcyBSC4fYubaQLDNVcUaJL6/B8ihDTqwP1zYhNULAFBDMGBbBtfG0TSRcB+a pT9POOlCzaigYCDMrurlinD9RysuF/oucr3QOF7vnthu/iEpLu5QS5kvKnj/0AIedxJv HxyI5+A266uLiIZbJ2O8ewApxaCNVdpJyeb4p0tsr7lPwGniRMpqnP8+IX5O9HU4oC32 e6+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0WhEklrmKPUAKXrd0TVc9Lmd41v2ykfvRRNUzLGB6f8=; b=ZKDbWymOvUbc8YKXzFl5EJmBT4T8wkCA8Ku3+g8HB34gmN7KwRZXjgeZL7rOqao9nK 85fuLr1BKTywVQz22sYYhBTtUT4Gljb1gwthkR3MS39swRTywwbx3rB+s+JKTZI8iYHH piVD8XLnu4gX4uS1Jsdh1mXfN5gC/5vG0/Jm0P2N47c2P4m7cG4PNstE9qoys6xYF3Cx CF21sQxKlT/qYv9nTsargw5bEi5kHJa7Es9oDC3Jj4Mdl+j29ybOhZRYQOljjsmJLGuh ssDn3BIRC2qEF1+tZJx7kM5TER3JCnZe6xkrNm2U380VGG+PzwkTDjqRYKOej7o4kWt6 h7Eg==
X-Gm-Message-State: AOAM533rAJGOY1VDP0JmeM5AoFfNVBoqUJbgoZxrai4pvqB/58brJ6Jb 3grD809c2/Js/VuspkOWRGhE1nBDIx6MFCECE/nrirMNo1g=
X-Google-Smtp-Source: ABdhPJzgh9aLvCCcWubNRVgpsoUYtu4UWOZGhU68T3s2vIpntIjMAey3jPKshxl3QAzSzbcj6JZ+hrDM4KzfOLMSZP8=
X-Received: by 2002:a1c:7918:: with SMTP id l24mr24436178wme.132.1597068485691; Mon, 10 Aug 2020 07:08:05 -0700 (PDT)
MIME-Version: 1.0
References: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
In-Reply-To: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 10 Aug 2020 10:07:53 -0400
Message-ID: <CAHbrMsCvbxi0q7X5TGkDq_kOVPecVYhYm4VF6UD75U=tKsiyGg@mail.gmail.com>
To: Brian Haberman <brian@innovationslab.net>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000cbcc1505ac867bcb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jnmYeTbixMJklHVHlKteqhkNLQE>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 14:08:09 -0000
I do not support adopting this draft as-is. I think this construction is very clever, and points us in the right direction for authentication, but it's extremely inflexible in regard to the transport protocol and key updates. As the draft notes, "a change in TLS keys on an auth may require DS updates for thousands or even hundreds of thousands of domains", which may not be under the administrative control of the authoritative server operator. This seems likely to make key rotation effectively impossible in many potential deployments, as rotation cannot occur until _all_ customers have updated their zones. This draft could be suitable for "experimental" status, but for a "standards track" document I think we should start with a design that addresses these problems. On Mon, Aug 10, 2020 at 7:44 AM Brian Haberman <brian@innovationslab.net> wrote: > Hi all, > During the DPRIVE session at IETF108, we discussed adopting > > https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ > and the results were inconclusive. The chairs would like to start a > 2-week call for adoption to determine the WG's interest in this work. > > Please respond to the mailing list with your view (positive or > negative) and supporting rationale on adopting the draft. This WGLC will > end on 2020-08-24 at 23:59 UTC. > > Regards, > Brian & Tim > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Call for adoption: draft-vandijk-dp… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Ben Schwartz
- Re: [dns-privacy] Call for adoption: draft-vandij… Ralf Weber
- Re: [dns-privacy] [Ext] Call for adoption: draft-… Paul Hoffman
- Re: [dns-privacy] Call for adoption: draft-vandij… Paul Wouters
- Re: [dns-privacy] Call for adoption: draft-vandij… John Levine
- Re: [dns-privacy] Call for adoption: draft-vandij… Vladimír Čunát
- Re: [dns-privacy] Call for adoption: draft-vandij… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- [dns-privacy] the rec/auth dot problem, was Re: C… Tony Finch