Re: [dns-privacy] [Ext] Possible use case: Opportunistic encryption for recursive to authoritative
Paul Hoffman <paul.hoffman@icann.org> Wed, 12 August 2020 16:00 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD1923A1384 for <dns-privacy@ietfa.amsl.com>; Wed, 12 Aug 2020 09:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxX_FT0l3J2j for <dns-privacy@ietfa.amsl.com>; Wed, 12 Aug 2020 09:00:58 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE633A1383 for <dprive@ietf.org>; Wed, 12 Aug 2020 09:00:58 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa2.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 07CG0vUj023050 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Aug 2020 16:00:57 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.595.3; Wed, 12 Aug 2020 09:00:56 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0595.003; Wed, 12 Aug 2020 09:00:56 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
CC: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: [Ext] [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
Thread-Index: AQHWcMHDNX4qlEKCFU+WXt8QTIh29Q==
Date: Wed, 12 Aug 2020 16:00:56 +0000
Message-ID: <FBB6D3C4-652A-4F30-B5BC-B8C81F6597CA@icann.org>
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org> <1af4cf60-b63b-e139-88b5-4225d15d98f4@nic.cz>
In-Reply-To: <1af4cf60-b63b-e139-88b5-4225d15d98f4@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_876E666D-CD8D-4AAC-98BF-92203F99C154"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-12_09:2020-08-11, 2020-08-12 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/spwuq_HjsPvoUzgM9CiHAv11Zf8>
Subject: Re: [dns-privacy] [Ext] Possible use case: Opportunistic encryption for recursive to authoritative
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 16:01:00 -0000
On Aug 12, 2020, at 5:44 AM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > > On 8/6/20 4:59 PM, Paul Hoffman wrote: >> In this use case, a resolver operator says “I’m happy to use encryption with the authoritative servers if it doesn’t slow down getting answers by much”, and an authoritative server says “I’m happy to use encryption with the recursive resolvers if it doesn’t cost me much”. > > This motivation confuses me a bit, but perhaps it's just me. I'd expect > the extra performance costs to be quite close to authenticated > encryption, at least in principle. Yes, definitely. > And the extra privacy gain feels > relatively small in comparison. The privacy gain is preventing passive snoopers from being able to see the traffic. That seems important to some people, not to others. > In any case, there may be other common motivations for going > opportunistic. For example the fact that for years we don't seem to > really move towards consensus about how exactly the authentication could > be done, but that motivation would be incompatible with desires like > developing these two approaches together - and I must admit I'd really > like to minimize incompatibility among the future approaches (DoT and > DoH come into mind). That's exactly why the use case included: > • Other use cases for authentication stronger than opportunistic may appear and would co-exist with this one As folks with other use cases for authenticated (normal!) encryption clarify their use cases, nothing in the opportunistic use case should make their work any harder. --Paul Hoffman
- [dns-privacy] Possible use case: Opportunistic en… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Ben Schwartz
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… John R. Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Tim Wicinski
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Manu Bretelle
- Re: [dns-privacy] Possible use case: Opportunisti… John Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Ask Bjørn Hansen
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Ebersman
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] [Ext] Possible use case: Opport… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Tony Finch
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- [dns-privacy] TLSA for secure resolver-auth trans… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Vladimír Čunát
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Ilari Liusvaara
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] [Ext] TLSA for secure resolver-… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Vladimír Čunát
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Viktor Dukhovni
- Re: [dns-privacy] TLSA for secure resolver-auth t… Peter van Dijk