Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Wed, 12 August 2020 23:13 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663E23A0CE9 for <dns-privacy@ietfa.amsl.com>; Wed, 12 Aug 2020 16:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.846
X-Spam-Level:
X-Spam-Status: No, score=-2.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbkK4CV0zcqz for <dns-privacy@ietfa.amsl.com>; Wed, 12 Aug 2020 16:13:13 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46D323A0CD5 for <dns-privacy@ietf.org>; Wed, 12 Aug 2020 16:13:11 -0700 (PDT)
Received: from [192.168.6.18] (nat-45.starnet.cz [178.255.168.45]) by mail.nic.cz (Postfix) with ESMTPSA id 97A51140A52; Thu, 13 Aug 2020 01:13:08 +0200 (CEST)
To: John Levine <johnl@taugh.com>, dns-privacy@ietf.org
References: <20200812183909.73D5C1E89013@ary.local>
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Message-ID: <3832c7bb-4902-e440-a937-cc4cba994957@nic.cz>
Date: Thu, 13 Aug 2020 01:13:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.1.1
MIME-Version: 1.0
In-Reply-To: <20200812183909.73D5C1E89013@ary.local>
Content-Type: multipart/alternative; boundary="------------5A6C5A34B09E7DD23BECBD2F"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/o2h3hA6P3vfrGihGI8mgdmgUtQQ>
Subject: Re: [dns-privacy] Call for adoption: draft-vandijk-dprive-ds-dot-signal-and-pin
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 23:13:15 -0000

On 8/12/20 8:39 PM, John Levine wrote:
>> I am against adoption for two reasons. The draft as it currently is,
>> requires that domain name owners and nameserver hosting administrators
>> synchronise their nameserver TLS keys.
> Why wouldn't you publish multiple DS records for multiple nameserver
> keys, like the draft says? We have multiple DS for multiple DNSKEYs.

Yes, they would.  Zones would surely publish their new DS additionally
to the old one, but you don't want to use the corresponding cert until
*all* of them have done so (+TTL).  Well, you could tell them that
unless they fail to do so by some deadline, the zones may get broken
because of this...