Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features

Paul Wouters <paul@nohats.ca> Tue, 25 May 2021 21:28 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9904B3A0C4C for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 14:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hIioxID9VMK8 for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 14:28:21 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669693A0C46 for <dns-privacy@ietf.org>; Tue, 25 May 2021 14:28:21 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4FqRyV2308zFSh; Tue, 25 May 2021 23:28:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1621978098; bh=6qrjDXoGZwddKGjmzRMnX+Wx27gXgwU2rWG6xYQ9pdA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=b0gprU2Sww8nTdIYleNXsFrU2AmDBNywt/Ztxhb+RB5jY/NATYRUBrIb1rPDlmsff 6qQux975B1hH9r0cULcWBkd7y/JvOlM7Pfabo7iF3P03kakFn4CZ/wWH/uwEMaSTlO GZaOS4C1rEHxNYjXzxVYOfTQXEcwU2ibndrItSYc=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id aZAMvtzRKAwL; Tue, 25 May 2021 23:28:17 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 25 May 2021 23:28:16 +0200 (CEST)
Received: from smtpclient.apple (unknown [193.110.157.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 8AD4B5F2EB; Tue, 25 May 2021 17:28:15 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Tue, 25 May 2021 17:28:13 -0400
Message-Id: <21CD5432-D523-4316-A5D0-E5ECA4D84F7E@nohats.ca>
References: <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
X-Mailer: iPhone Mail (18E212)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/nhCfVZtXDfimRWIgcoXVZblRgic>
Subject: Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 21:28:27 -0000

On May 25, 2021, at 17:16, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> 
> 
> All
> 
> The authors took the advice from the working group and extracted the more common features 
> into a separate document.   The chairs would like the working group to give some comments, as
> we feel a document like this should be considered for adoption.

I had not responded on purpose. As indicated in the past, I find the gains of encrypting but not authenticating authoritative servers not very useful.

We have an existing authentication mechanism for authenticating authoritative servers (DNSSEC) that we should spend our energy on promoting instead of writing more RFCs about securing the transport leaving the transported data vulnerable to manipulation by an ever more centralized resolver farm.

Paul