Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
Paul Wouters <paul@nohats.ca> Wed, 12 August 2020 01:43 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBCC3A0E46 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9UP8sjbEp5O for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:43:04 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B493F3A0E44 for <dns-privacy@ietf.org>; Tue, 11 Aug 2020 18:43:04 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BRCBt75htzlH; Wed, 12 Aug 2020 03:43:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1597196583; bh=+RvRarjALFJSsPZlx+T1cc9dNRNBdAGsGHU+x9iU/oA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bVJrhMfcPyzwSQDDJ8iC0oC0sJLtFJ4enVVVUGQCi2pjDjN214l7MES8lqGkisjmZ 8H/4Pk5ibqV+eNrWj2hvgU4t/Uwv3LwOJBAGzn7fMGA+PCIy3fNPCLJJVYetzOHxwq TKADaBKDS6X21earkRIElNSnqE8w9C8N4Q+KOibU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CuY94V4AwfUg; Wed, 12 Aug 2020 03:43:01 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 12 Aug 2020 03:43:01 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 742086029BA5; Tue, 11 Aug 2020 21:43:00 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6BCE0669F1; Tue, 11 Aug 2020 21:43:00 -0400 (EDT)
Date: Tue, 11 Aug 2020 21:43:00 -0400
From: Paul Wouters <paul@nohats.ca>
To: Brian Haberman <brian@innovationslab.net>
cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
Message-ID: <alpine.LRH.2.23.451.2008112138490.99493@bofh.nohats.ca>
References: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kXd9M_U49_0xUHQInJx07q77sxM>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 01:43:06 -0000
On Mon, 10 Aug 2020, Brian Haberman wrote: > Hi all, > During the DPRIVE session at IETF108, we discussed adopting > https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ > and the results were inconclusive. The chairs would like to start a > 2-week call for adoption to determine the WG's interest in this work. > > Please respond to the mailing list with your view (positive or > negative) and supporting rationale on adopting the draft. This WGLC will > end on 2020-08-24 at 23:59 UTC. I am against adoption for two reasons. The draft as it currently is, requires that domain name owners and nameserver hosting administrators synchronise their nameserver TLS keys. This is impossible to do at scale. As I suggested, TLSA records on the nameserver FQDN's avoids this problem. Second, this method introduces a possible national MITM by the TLD being able to put in TLD wide DS records that might be published against the wishes of the childen within the TLD. A protection mechanism via the child confirming the parent record with a CDS record would address this concern. I truly wish the idea would work. And I still believe a DNSKEY bit on the DNSKEY to signal encrypted DNS availability would be worth pursuing. Paul
- [dns-privacy] Call for adoption: draft-vandijk-dp… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Ben Schwartz
- Re: [dns-privacy] Call for adoption: draft-vandij… Ralf Weber
- Re: [dns-privacy] [Ext] Call for adoption: draft-… Paul Hoffman
- Re: [dns-privacy] Call for adoption: draft-vandij… Paul Wouters
- Re: [dns-privacy] Call for adoption: draft-vandij… John Levine
- Re: [dns-privacy] Call for adoption: draft-vandij… Vladimír Čunát
- Re: [dns-privacy] Call for adoption: draft-vandij… Brian Haberman
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- Re: [dns-privacy] Call for adoption: draft-vandij… Peter van Dijk
- [dns-privacy] the rec/auth dot problem, was Re: C… Tony Finch