Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin

Ben Schwartz <> Mon, 10 August 2020 14:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B2B83A0BD0 for <>; Mon, 10 Aug 2020 07:08:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZodANoVfjxp3 for <>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7E5A23A159A for <>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
Received: by with SMTP id 3so8509540wmi.1 for <>; Mon, 10 Aug 2020 07:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0WhEklrmKPUAKXrd0TVc9Lmd41v2ykfvRRNUzLGB6f8=; b=XLA8woxYuAw60H62gpMf+vgXkO+/ZKdVwF7dtemO2NfpyFFsgJ1CxIURX4H4nA2r12 6EZGeaeMkPUFwNb1HaDuaJFHwY5E4Rvcq6VAut54t8dmKlbFY+mOiE3dYT9sh1i//7SI k4IT5RDLPcyBSC4fYubaQLDNVcUaJL6/B8ihDTqwP1zYhNULAFBDMGBbBtfG0TSRcB+a pT9POOlCzaigYCDMrurlinD9RysuF/oucr3QOF7vnthu/iEpLu5QS5kvKnj/0AIedxJv HxyI5+A266uLiIZbJ2O8ewApxaCNVdpJyeb4p0tsr7lPwGniRMpqnP8+IX5O9HU4oC32 e6+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0WhEklrmKPUAKXrd0TVc9Lmd41v2ykfvRRNUzLGB6f8=; b=ZKDbWymOvUbc8YKXzFl5EJmBT4T8wkCA8Ku3+g8HB34gmN7KwRZXjgeZL7rOqao9nK 85fuLr1BKTywVQz22sYYhBTtUT4Gljb1gwthkR3MS39swRTywwbx3rB+s+JKTZI8iYHH piVD8XLnu4gX4uS1Jsdh1mXfN5gC/5vG0/Jm0P2N47c2P4m7cG4PNstE9qoys6xYF3Cx CF21sQxKlT/qYv9nTsargw5bEi5kHJa7Es9oDC3Jj4Mdl+j29ybOhZRYQOljjsmJLGuh ssDn3BIRC2qEF1+tZJx7kM5TER3JCnZe6xkrNm2U380VGG+PzwkTDjqRYKOej7o4kWt6 h7Eg==
X-Gm-Message-State: AOAM533rAJGOY1VDP0JmeM5AoFfNVBoqUJbgoZxrai4pvqB/58brJ6Jb 3grD809c2/Js/VuspkOWRGhE1nBDIx6MFCECE/nrirMNo1g=
X-Google-Smtp-Source: ABdhPJzgh9aLvCCcWubNRVgpsoUYtu4UWOZGhU68T3s2vIpntIjMAey3jPKshxl3QAzSzbcj6JZ+hrDM4KzfOLMSZP8=
X-Received: by 2002:a1c:7918:: with SMTP id l24mr24436178wme.132.1597068485691; Mon, 10 Aug 2020 07:08:05 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Mon, 10 Aug 2020 10:07:53 -0400
Message-ID: <>
To: Brian Haberman <>
Cc: "" <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000cbcc1505ac867bcb"
Archived-At: <>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Aug 2020 14:08:09 -0000

I do not support adopting this draft as-is.  I think this construction is
very clever, and points us in the right direction for authentication, but
it's extremely inflexible in regard to the transport protocol and key
updates.  As the draft notes, "a change in TLS keys on an auth may require
DS updates for thousands or even hundreds of thousands of domains", which
may not be under the administrative control of the authoritative server
operator.  This seems likely to make key rotation effectively impossible in
many potential deployments, as rotation cannot occur until _all_ customers
have updated their zones.

This draft could be suitable for "experimental" status, but for a
"standards track" document I think we should start with a design that
addresses these problems.

On Mon, Aug 10, 2020 at 7:44 AM Brian Haberman <>

> Hi all,
>      During the DPRIVE session at IETF108, we discussed adopting
> and the results were inconclusive. The chairs would like to start a
> 2-week call for adoption to determine the WG's interest in this work.
>      Please respond to the mailing list with your view (positive or
> negative) and supporting rationale on adopting the draft. This WGLC will
> end on 2020-08-24 at 23:59 UTC.
> Regards,
> Brian & Tim
> _______________________________________________
> dns-privacy mailing list