Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin

Paul Wouters <paul@nohats.ca> Wed, 12 August 2020 01:43 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBCC3A0E46 for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9UP8sjbEp5O for <dns-privacy@ietfa.amsl.com>; Tue, 11 Aug 2020 18:43:04 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B493F3A0E44 for <dns-privacy@ietf.org>; Tue, 11 Aug 2020 18:43:04 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BRCBt75htzlH; Wed, 12 Aug 2020 03:43:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1597196583; bh=+RvRarjALFJSsPZlx+T1cc9dNRNBdAGsGHU+x9iU/oA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bVJrhMfcPyzwSQDDJ8iC0oC0sJLtFJ4enVVVUGQCi2pjDjN214l7MES8lqGkisjmZ 8H/4Pk5ibqV+eNrWj2hvgU4t/Uwv3LwOJBAGzn7fMGA+PCIy3fNPCLJJVYetzOHxwq TKADaBKDS6X21earkRIElNSnqE8w9C8N4Q+KOibU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CuY94V4AwfUg; Wed, 12 Aug 2020 03:43:01 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 12 Aug 2020 03:43:01 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 742086029BA5; Tue, 11 Aug 2020 21:43:00 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6BCE0669F1; Tue, 11 Aug 2020 21:43:00 -0400 (EDT)
Date: Tue, 11 Aug 2020 21:43:00 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Brian Haberman <brian@innovationslab.net>
cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
Message-ID: <alpine.LRH.2.23.451.2008112138490.99493@bofh.nohats.ca>
References: <4b3271ee-e796-3102-1ead-d1f9a3137514@innovationslab.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kXd9M_U49_0xUHQInJx07q77sxM>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 01:43:06 -0000

On Mon, 10 Aug 2020, Brian Haberman wrote:

> Hi all,
>     During the DPRIVE session at IETF108, we discussed adopting
> https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/
> and the results were inconclusive. The chairs would like to start a
> 2-week call for adoption to determine the WG's interest in this work.
>
>     Please respond to the mailing list with your view (positive or
> negative) and supporting rationale on adopting the draft. This WGLC will
> end on 2020-08-24 at 23:59 UTC.

I am against adoption for two reasons. The draft as it currently is,
requires that domain name owners and nameserver hosting administrators
synchronise their nameserver TLS keys. This is impossible to do at
scale. As I suggested, TLSA records on the nameserver FQDN's avoids
this problem.

Second, this method introduces a possible national MITM by the TLD being
able to put in TLD wide DS records that might be published against the
wishes of the childen within the TLD. A protection mechanism via the child
confirming the parent record with a CDS record would address this concern.

I truly wish the idea would work. And I still believe a DNSKEY bit on
the DNSKEY to signal encrypted DNS availability would be worth pursuing.

Paul