IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Paul Wouters <paul@nohats.ca> Fri, 29 May 2020 04:01 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3FF3A0A79 for <dns-privacy@ietfa.amsl.com>; Thu, 28 May 2020 21:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtbOoFFHEx6l for <dns-privacy@ietfa.amsl.com>; Thu, 28 May 2020 21:01:46 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822A63A0A7E for <dns-privacy@ietf.org>; Thu, 28 May 2020 21:01:46 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49Y9qW2hv4z3Dj; Fri, 29 May 2020 06:01:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1590724903; bh=0VYdjECo2bT+2U41QA+Zv7JR2Mx5s/rfbMEQ6zxDsI8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=SsT1Yo7OhhyLb6iepbgNXp3NuQaj+5yjGmJLNy5AWeOns8Q6yCHajBnkdGm4+DeZs qGBipyZV/dCgvh5Knq38yJIE1HhueUsq2+AmKYM8b9G7Kj2SnuIu2NaD7beVM7hW+2 D5wXWl0HscRKJRXqmzO5jZxDJnQNwHHT0DoHJeOw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id iaihz8fxZ4nK; Fri, 29 May 2020 06:01:42 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 29 May 2020 06:01:41 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B2C866029B99; Fri, 29 May 2020 00:01:40 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id AEB2D66B7C; Fri, 29 May 2020 00:01:40 -0400 (EDT)
Date: Fri, 29 May 2020 00:01:40 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: DNS Privacy Working Group <dns-privacy@ietf.org>, Eric Rescorla <ekr@rtfm.com>, Shumon Huque <shuque@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <CAHbrMsDH2sKn3uZ9O-MeJ2cXmd9hLWMXbrKgmSa31FDwo=uPmg@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.2005282350190.577@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com> <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com> <905a4ad6-1463-e340-77f1-0a6e75de0c18@nic.cz> <alpine.LRH.2.21.2005272151080.18445@bofh.nohats.ca> <33ce99be-43d7-eac1-f2c1-745520fc5375@cs.tcd.ie> <CAHPuVdU9jt==k0mBSqGtOFOaHxF4XZJk_N9k3xCGDGj1aSpX+g@mail.gmail.com> <CABcZeBP+Ovc5bns75OdPhiW+pr=VusCuzwRYUMj-vf4GdSb56g@mail.gmail.com> <alpine.LRH.2.21.2005281402530.24116@bofh.nohats.ca> <CAHbrMsDH2sKn3uZ9O-MeJ2cXmd9hLWMXbrKgmSa31FDwo=uPmg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jyZrXTLPu79Tfp-ZcTVA3tHGMzc>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 04:01:49 -0000

On Thu, 28 May 2020, Ben Schwartz wrote:

> Using tls-dnssec-chain would save a roundtrip.  So would putting an SPKI pin along with "ns0.nohats.ca" in the DS
> record.  I think both are reasonable optimizations, and should be optional*.

You suggest a hack on top of a hack, to save 1 RTT for a record that
should have a TTL of 4h to 2d (based on parent/child TTL of NS records).
This would be on resolvers that presumbly resolve many domains, multiple
on the same nameserver. So policies for "how long to keep the DoT
connection idle/open" will affect performance a lot more than this 1
RTT.

> *: To be precise, I think publishing an SPKI pin should be optional, but using it (if present) should be mandatory,
> so that an authoritative server can include a pin if it can't resolve its own name, as Petr described.

I think this issue requires more discussion...

Paul

v2.23.0 | Report a Bug | By Email