Re: [dns-privacy] [Ext] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features

Paul Hoffman <paul.hoffman@icann.org> Wed, 26 May 2021 00:07 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ED483A145F for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 17:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jtA20AEsPWs for <dns-privacy@ietfa.amsl.com>; Tue, 25 May 2021 17:07:11 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F3D33A145D for <dns-privacy@ietf.org>; Tue, 25 May 2021 17:07:11 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa3.lax.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 14Q07Atl019637 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Wed, 26 May 2021 00:07:10 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.12; Tue, 25 May 2021 17:07:09 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0858.012; Tue, 25 May 2021 17:07:09 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [Ext] [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
Thread-Index: AQHXUcMREdo9tOBJNEG5xgcgb8VB3w==
Date: Wed, 26 May 2021 00:07:09 +0000
Message-ID: <85C4D0DE-B667-4EB2-8C10-DD8B91188F38@icann.org>
References: <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com> <21CD5432-D523-4316-A5D0-E5ECA4D84F7E@nohats.ca>
In-Reply-To: <21CD5432-D523-4316-A5D0-E5ECA4D84F7E@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_4BDAF999-B8ED-4803-9531-8388D3060843"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-25_09:2021-05-25, 2021-05-25 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/s3RDtAwVPLIGx2UM2U5zMWLOneE>
Subject: Re: [dns-privacy] [Ext] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 00:07:16 -0000

On May 25, 2021, at 2:28 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> On May 25, 2021, at 17:16, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>> 
>> 
>> All
>> 
>> The authors took the advice from the working group and extracted the more common features 
>> into a separate document.   The chairs would like the working group to give some comments, as
>> we feel a document like this should be considered for adoption.
> 
> I had not responded on purpose. As indicated in the past, I find the gains of encrypting but not authenticating authoritative servers not very useful.
> 
> We have an existing authentication mechanism for authenticating authoritative servers (DNSSEC) that we should spend our energy on promoting instead of writing more RFCs about securing the transport leaving the transported data vulnerable to manipulation by an ever more centralized resolver farm.

The question from Tim was whether draft-pp-dprive-common-features should be adopted. I believe that there there is nothing in draft-pp-dprive-common-features that would prevent a protocol proposal such as PaulW has here (even though there is no draft for it). If I'm wrong, the -common-features draft should be amended to allow authenticating based on DNSSEC, since that seems like an obvious mechanism.

--Paul Hoffman