IETF Logo Mail Archive

Re: [dns-privacy] DOTPIN, TLSA, and DiS

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Fri, 20 November 2020 21:00 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C3123A00D8 for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 13:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5ogn7q9N6dU for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 13:00:41 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A843A00C9 for <dprive@ietf.org>; Fri, 20 Nov 2020 13:00:39 -0800 (PST)
Received: from [IPv6:2a02:768:2d1c:226::a2e] (unknown [IPv6:2a02:768:2d1c:226::a2e]) by mail.nic.cz (Postfix) with ESMTPSA id ED4F0140A9F; Fri, 20 Nov 2020 22:00:36 +0100 (CET)
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: dprive@ietf.org
References: <196c57a1f39d73fdbf0e7ee0c597bec2bec94148.camel@powerdns.com> <a4e2f776-91b6-f825-03f9-8287e7b29509@nic.cz> <CAH1iCipHHUDp3RBO4zaYCpcqyx6GQcLxTW4Fj8-psFpYmYf81g@mail.gmail.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Message-ID: <5b5f5380-9026-35ad-bc8a-efaa8fc025ea@nic.cz>
Date: Fri, 20 Nov 2020 22:00:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
MIME-Version: 1.0
In-Reply-To: <CAH1iCipHHUDp3RBO4zaYCpcqyx6GQcLxTW4Fj8-psFpYmYf81g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B72233C2F7F470FA2304FF4D"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/rrms0I2iLz9wSJPoMAiJyEwZVa4>
Subject: Re: [dns-privacy] DOTPIN, TLSA, and DiS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 21:00:43 -0000

On 11/20/20 9:14 PM, Brian Dickson wrote:
> So, using a new algorithm for whatever we do, should be 100% backward
> compatible.

Yes, it should be.  A few different proposals have been relying on that
already, for DS or DNSKEY.  It is possible that some validators still
have bugs around this, but hopefully they would be manageable.

For signers there's a possible caveat that a zone must be fully signed
by *all* the present DNSKEY algorithms, but my point of view is that
redefining that it relatively easy on deployment (as only zones wanting
the feature get affected).  See last paragraph of
https://tools.ietf.org/html/rfc4035#section-2.2


> I think we (the three of us and maybe Tony Finch, if not the whole DNS
> community) may be converging on a design that will, I believe, work.

So far I can't clearly see that direction of convergence, but I'll be
looking forward to such design proposals.

--Vladimir

v2.23.0 | Report a Bug | By Email