Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features

Eric Rescorla <ekr@rtfm.com> Wed, 26 May 2021 00:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE2AB3A147B for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 17:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6UaWL42TekI5 for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 17:09:51 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB453A1479 for <dns-privacy@ietf.org>; Tue, 25 May 2021 17:09:50 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id o5so29354295edc.5 for <dns-privacy@ietf.org>; Tue, 25 May 2021 17:09:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1ixpwxtcdv2B766a21U5iKXGZyimDDcZUF6Qwa3aF98=; b=xU1oMYNV09HulFw5kFZVxF7aqe6QFLzzbquTlll4nTGIWB1A7vifrDjwBcunIfKjGY GJru2ziL1bQXSQREr2djLbzx5Ztv/ZvTTjaQsD3cyx++Ns7NnGPhfxFtuGx0ryuQiSDv PrS2zUuVEQNMIzUmVwpyHF7gmaqGySzX4Pw981QLW7uTMsRQxix2MoOG7WXPzdxsEhao Nbm77qXWvlPqaiYP9CZSmQlKeZOyRf/3ZmISrW+tGbHXTmqh+fx5rSpT6lKV9FKX/+NI ZtK1320I9MqCLNopH9pg57UgFJbFOlJvJbXWLA6JQeB00zWOj2/Jqffn9g01Qg5nUOxQ h/bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1ixpwxtcdv2B766a21U5iKXGZyimDDcZUF6Qwa3aF98=; b=TOdAbEDbDE1hxOz9P/oaV09iS3oL5pYiXt5Rgb0eBctFfOs/rTP6z/EVVLnFfMnoar q/0aE3JINrPlXlNlgaNhWSREOf9wkhyEAhU7bF7KaO8S+OStUAqEA6JF4sMR5Id/FLs4 MwADHSR5tM+VsMbcY94lV2LaHPcnswQs6kqmjkXkfCQZSnnw2huNOouYfuGzdMKHshSw j7yPrDeHFB+OUKZRm6rX49gz5bdCxaOSOPm/hZxB+37xvbhIis3ymrri3lvYZ1m5MEsv 93GEHdb2PFdt7NqIoOuggP29Y/q0EkVCY0feRy0jPWLLcaZyruzGLWDCiRwUWovrbofD L+Jw==
X-Gm-Message-State: AOAM531mOySqUecTy8ejN8hXTvLKTR113C1QGQQBYrgoOwB2SmsesT80 fcno5UD7ytHxGiZFDpzOHg0h226F+HRs+XryuPPfbA==
X-Google-Smtp-Source: ABdhPJxWcVGXQEjCuDgnMZsTlfJ6YyL/uPR/RJXX02T7G885S6IG0oMPyMMpueun2qM7Hj3Wp/I98/1FxQGZCEEILls=
X-Received: by 2002:aa7:c818:: with SMTP id a24mr34759511edt.310.1621987788318; Tue, 25 May 2021 17:09:48 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com> <21CD5432-D523-4316-A5D0-E5ECA4D84F7E@nohats.ca>
In-Reply-To: <21CD5432-D523-4316-A5D0-E5ECA4D84F7E@nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 25 May 2021 17:09:11 -0700
Message-ID: <CABcZeBM+zng4vTXwgTH328O-LPy9VLGPOrGK_UWtiXGQCYeZzw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f3f66205c330751e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/pnyX8IUcWTVBXaTnQMyA1mT17y8>
Subject: Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 00:09:56 -0000

On Tue, May 25, 2021 at 2:28 PM Paul Wouters <paul@nohats.ca> wrote:

> On May 25, 2021, at 17:16, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> >
> >
> > All
> >
> > The authors took the advice from the working group and extracted the
> more common features
> > into a separate document.   The chairs would like the working group to
> give some comments, as
> > we feel a document like this should be considered for adoption.
>
> I had not responded on purpose. As indicated in the past, I find the gains
> of encrypting but not authenticating authoritative servers not very useful.
>

I agree with this.

The fundamental question here is whether we want to build a mechanism for
authenticated ADoX or not; and if so, whether there are technical
mechanisms that make it possible/practical. I don't believe we have
consensus on this point (indeed, PaulW and I disagree on that), and so just
trying to pull out those mechanisms while avoiding this issue seems not
very productive.

-Ekr

We have an existing authentication mechanism for authenticating
> authoritative servers (DNSSEC) that we should spend our energy on promoting
> instead of writing more RFCs about securing the transport leaving the
> transported data vulnerable to manipulation by an ever more centralized
> resolver farm.
>



> Paul
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>