Re: [dns-privacy] Authenticating DoT nameservers for insecure delegations
Paul Hoffman <paul.hoffman@icann.org> Fri, 28 September 2018 16:10 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70C1C130E61 for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 09:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZKdBmD-zlqi for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 09:09:59 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 353E31294D0 for <dns-privacy@ietf.org>; Fri, 28 Sep 2018 09:09:59 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 28 Sep 2018 09:09:56 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Fri, 28 Sep 2018 09:09:56 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: manu tman <chantr4@gmail.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Authenticating DoT nameservers for insecure delegations
Thread-Index: AQHUV0Wxv0zs9r/uiUKkiXO5rKs0nw==
Date: Fri, 28 Sep 2018 16:09:55 +0000
Message-ID: <A3763CC3-9D17-47EE-B434-B6D0D90E8AAF@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_77DD9DC7-E257-4CB9-BB10-406C6AE10B45"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/t7eWYGD_TalfviHpArSm6Vuw0oA>
Subject: Re: [dns-privacy] Authenticating DoT nameservers for insecure delegations
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 16:10:02 -0000
On 28 Sep 2018, at 8:32, manu tman wrote: > I have been thinking of a way to authenticate DoT servers for delegations > that cannot be validated using DANE as describe in Stephane’s draft > https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01 > > The idea is to leverage both DNSSEC and SPKI to authenticate a zone but by > relying on the parent to validate the public key. I have documented it at > > https://datatracker.ietf.org/doc/draft-bretelle-dprive-dot-for-insecure-delegations/ > > Feedback is welcomed. Thanks This approach (putting the SPKI in the parent) seems fine, as long as the parent is signed. If I read it correctly, it would not work securely if the parent is not signed, correct? Also, I disagree with the logic in Section 3.1 on using PKIX. Using PKIX certificates does not mean using the same CA structure as the web PKI, and trusting CAs for nameservers could be made a lot better than the current CABForum rules. --Paul Hoffman