Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 16 February 2021 17:36 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A894E3A0CE5 for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 09:36:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElLsWHim-XoO for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 09:36:43 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9FD23A0CD2 for <dprive@ietf.org>; Tue, 16 Feb 2021 09:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6878; q=dns/txt; s=VRSN; t=1613496962; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=/VhlHj8hozplYggC/n2hwylEWwJA1d9q7MPRVKUP+kk=; b=JcYcBnXypj1ZFn4um1Vn5ZrdjgG6W7zqbfjN9RW6aFdTPgoLcdD15ulz sjgK1pZJhVhG3PZBCBXLRwKqrtSNQqcH7SD3eA4OoGr2Apu9SNwKkHYWV TwTZvT0VA8bO/5t9hW5wfJUnTgKyDuKPyUSoewymoGdkph43OtbBq06kq OHF7/xi20Ps9ZdQ4bf+k2KIfcuohJadysEFRFArC4oro0ZOl//EA5MAD6 urBFABChlPoOtdCQ/tneKBg3m8TCQnKO7EMSbGupycZX7PL7/Wl3mRJ7u 3T6qoYfhhbFhJv5tvV4Xz6TZt38SlqeUzihKefyt86QyWpEIyiXUb9teK g==;
IronPort-SDR: Zsjqa7I3XZ4nSx7KACOsbJ8XEtG4GB7AU04b3rZhzqaPcqIUK7XN0O67vKDs9VSQg4wrp0khiF oftXrEA6lT9hrevMHVWgJviqBSrKZc4rxMXZ9Q4UbhE3LNsSHGiN2n9aS4inpDtyk53TkXkvkd sIIc999wvfHEWSc7lPtYNP25P6/mluwhzXP2fdLNeUtGBQaxkjFyVBl7oGfmpEoNLMLPEbzk3Q eCcbSqPsa7PAWw74henr8EOVkT2iw58mlnuwpjnUga1Nk/3QbO+nGRxOZAdtbab2JT3SyoLQ/f Pck=
X-IronPort-AV: E=Sophos;i="5.81,184,1610409600"; d="scan'208,217";a="5759657"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Tue, 16 Feb 2021 12:35:57 -0500
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.2176.002; Tue, 16 Feb 2021 12:35:57 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "bemasc=40google.com@dmarc.ietf.org" <bemasc=40google.com@dmarc.ietf.org>, "paul@nohats.ca" <paul@nohats.ca>
CC: "paul.hoffman@icann.org" <paul.hoffman@icann.org>, "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
Thread-Index: AQHXA+lbrQW6tGII9EuzEhn8vBOXBKpbO06AgAAPhICAAAurgP//s0cA
Date: Tue, 16 Feb 2021 17:35:57 +0000
Message-ID: <678895872faf4e2eb5741e5bb5b91489@verisign.com>
References: <CAHbrMsCOrS7Kz9WSKXRwwFiueaGZD1EGyuy98zi=9Qo5x3vTBw@mail.gmail.com> <81E638D5-378C-45A3-89D3-3FA0843A2CA2@nohats.ca> <CAHbrMsDM6-Ma+X8eOKz-UvV8-EuoP663VJ2aD6r85eyjr6yy7Q@mail.gmail.com>
In-Reply-To: <CAHbrMsDM6-Ma+X8eOKz-UvV8-EuoP663VJ2aD6r85eyjr6yy7Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_678895872faf4e2eb5741e5bb5b91489verisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/s0JcCnbHZvCx5z5YL39c_XkU9Kc>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 17:36:46 -0000
From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Ben Schwartz Sent: Tuesday, February 16, 2021 12:01 PM To: Paul Wouters <paul@nohats.ca> Cc: Paul Hoffman <paul.hoffman@icann.org>; dprive@ietf.org Subject: [EXTERNAL] Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq [SAH] [snip] I think the scary part is that an authenticated TLS failure (due to misconfiguration, bug, overload, or rollback) results in an outage. draft-ietf-dprive-opportunistic-adotq never results in an outage; you just fall back to cleartext and pay a small latency penalty. [SAH] It’s more than that. TLS adds complexity, complexity adds fragility, and fragility leads to outages or compromises. NIST‘s National Vulnerability Database (https://nvd.nist.gov/) lists 950 TLS vulnerabilities since 1999, and 347 in the past three years. Authoritative name servers that don’t implement TLS don’t have to worry about any of them. Add TLS, and now we do. I do agree with what you said above about just falling back to cleartext in case TLS doesn’t “work” for some reason. A TLS failure MUST NOT have an impact on availability. Scott
- [dns-privacy] Authentication in draft-ietf-dprive… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Daniel Migault
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Vittorio Bertola
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Andrew Campling
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] Authentication in draft-ietf-dp… Hollenbeck, Scott
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman