Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Ben Schwartz <bemasc@google.com> Wed, 27 May 2020 01:27 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34083A0CE1 for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 18:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCD1J8SOtxMq for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 18:27:47 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4C563A0CDA for <dns-privacy@ietf.org>; Tue, 26 May 2020 18:27:46 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id f5so1463114wmh.2 for <dns-privacy@ietf.org>; Tue, 26 May 2020 18:27:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g1kHwhBEPo3mvPXi1o3m8roeg0J6OM1zTlySjWIcN2o=; b=swAAlH17r2CoBGBy/59vWf/Eq1Ys0O1KSQa6oXIISB6IAr4oTGo8Y+FHnhZX7UiRSi L065o+eemSyZbAKk2mnURBrKEyYCJatqtwhbL8apeuqd9FrC5lFAAQ5t+VkU67hHy4WF M3e7KsYZDhkkWqyFJSWuxGAj1l/PaazDObe7yUu+8XN+iN2QvmfM614xSIOxu81KCMHc 6nbo8NTHRywYmDZp6flQRJ003iiOtk3jo/9gMVdpHPx82T/Mt7hrosaPqlXRqIzlC+G4 UWMoGlPxSxEGWfZSHrj7fOblYuHj3V0RazF+3CxunQncGKbYeBV6Q6bM9a+CoksIGn/x Wcqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g1kHwhBEPo3mvPXi1o3m8roeg0J6OM1zTlySjWIcN2o=; b=NUEnsu02Rg02xGphP3jFtKQDTRNuk6ureVsOtrDIWBaq004YzK63HxFRx9Cp/+wfMj REEQ8M4g38fNKd1QY/Wx1fCgZwCFBkuNWtc5ejDBj6XEG3RLNUF7y6O1I51xod765Ren PA9H6/RnL58gFR1ySFmndRKM/wzBQn2x5jaUOSAvJ5jCo8HEPvyXt/3f6CxnZUVJL7eu gDcgvy1zOHwN7fX2LTwf/pFAnABkhz1ch8BMlnO6ZJlnUJ2iuzwSn5i2yn/wjqMeWQnb Y980lHjWqw2nXrxQ9Rvod5lziv/uLBnPsQgkS1VBxFMUZzQmV68SVfaeTcOsj2ZWTifc Enfg==
X-Gm-Message-State: AOAM5335uqlFSLVT6M+szb6oI3JCRFvSnmIgQFtGyDLt/6veSIyOScgR Mf4faPMZhpgTiJ6r1y9ZXDxFyNoAhH8yTDWV4W5icw==
X-Google-Smtp-Source: ABdhPJzHolsLK0xj84pqYuXafkoSVgenHna3zAmIaTuJZA6cLi2VSgtJOmbMJ/eZWil3uEx+7JScL9mfntL7mbm9dVg=
X-Received: by 2002:a05:600c:2147:: with SMTP id v7mr1740893wml.101.1590542864959; Tue, 26 May 2020 18:27:44 -0700 (PDT)
MIME-Version: 1.0
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com>
In-Reply-To: <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 26 May 2020 21:27:33 -0400
Message-ID: <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007f2b8e05a6971e91"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/u0tx1kQrSuW_M1vPbJcGXtX5nwU>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 01:27:49 -0000
I like the idea of signalling DoT support in the DS record, but I worry a bit about putting the SPKI fingerprint in the DS as well. Having to update the parent zone whenever the TLSA key needs to be rotated seems cumbersome and fragile, especially if the nameserver is operated by a third party. DoT authoritatives would need to keep both the old and new certificates on hand during the transition, and DoT recursives would need some way to signal in the ClientHello which one they are expecting. This is pretty far from how TLS normally works. I wonder if you considered using draft-ietf-tls-dnssec-chain-extension instead? That would provide the same security and performance, using less volatile information in the parent. Specifically, I think that the DS record would have to convey one bit ("DoT enabled") plus the name of the nameserver (which should probably match the NS record). That seems preferable to me. On Tue, May 26, 2020 at 5:13 PM Peter van Dijk <peter.van.dijk@powerdns.com> wrote: > On Sun, 2020-05-24 at 17:36 -0400, Paul Wouters wrote: > > I thought using keytag 0, which cannot happen normally, would allow > > you to leave algorithm and other values more real. > > This comment made me curious. Why would that be true? So I generated > 524726 keys equally split between algorithms 8, 13, and 15. > > The result: 2 algo 13 keys with tag 0, 7 algo 15 keys with tag 0. I've > pasted them at > https://gist.github.com/Habbie/feb0bf288ea1137bee5a2c3d8913ba7f (happy > to provide the related private keys if anybody cares). > > None for RSA, though, which I bet was predicted in the work behind > > https://indico.dns-oarc.net/event/22/contributions/315/attachments/316/555/Quest_for_the_missing_keytags.pdf > and > https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf > > Kind regards, > -- > Peter van Dijk > PowerDNS.COM BV - https://www.powerdns.com/ > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine