IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Ben Schwartz <bemasc@google.com> Wed, 27 May 2020 01:27 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34083A0CE1 for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 18:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCD1J8SOtxMq for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 18:27:47 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4C563A0CDA for <dns-privacy@ietf.org>; Tue, 26 May 2020 18:27:46 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id f5so1463114wmh.2 for <dns-privacy@ietf.org>; Tue, 26 May 2020 18:27:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g1kHwhBEPo3mvPXi1o3m8roeg0J6OM1zTlySjWIcN2o=; b=swAAlH17r2CoBGBy/59vWf/Eq1Ys0O1KSQa6oXIISB6IAr4oTGo8Y+FHnhZX7UiRSi L065o+eemSyZbAKk2mnURBrKEyYCJatqtwhbL8apeuqd9FrC5lFAAQ5t+VkU67hHy4WF M3e7KsYZDhkkWqyFJSWuxGAj1l/PaazDObe7yUu+8XN+iN2QvmfM614xSIOxu81KCMHc 6nbo8NTHRywYmDZp6flQRJ003iiOtk3jo/9gMVdpHPx82T/Mt7hrosaPqlXRqIzlC+G4 UWMoGlPxSxEGWfZSHrj7fOblYuHj3V0RazF+3CxunQncGKbYeBV6Q6bM9a+CoksIGn/x Wcqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g1kHwhBEPo3mvPXi1o3m8roeg0J6OM1zTlySjWIcN2o=; b=NUEnsu02Rg02xGphP3jFtKQDTRNuk6ureVsOtrDIWBaq004YzK63HxFRx9Cp/+wfMj REEQ8M4g38fNKd1QY/Wx1fCgZwCFBkuNWtc5ejDBj6XEG3RLNUF7y6O1I51xod765Ren PA9H6/RnL58gFR1ySFmndRKM/wzBQn2x5jaUOSAvJ5jCo8HEPvyXt/3f6CxnZUVJL7eu gDcgvy1zOHwN7fX2LTwf/pFAnABkhz1ch8BMlnO6ZJlnUJ2iuzwSn5i2yn/wjqMeWQnb Y980lHjWqw2nXrxQ9Rvod5lziv/uLBnPsQgkS1VBxFMUZzQmV68SVfaeTcOsj2ZWTifc Enfg==
X-Gm-Message-State: AOAM5335uqlFSLVT6M+szb6oI3JCRFvSnmIgQFtGyDLt/6veSIyOScgR Mf4faPMZhpgTiJ6r1y9ZXDxFyNoAhH8yTDWV4W5icw==
X-Google-Smtp-Source: ABdhPJzHolsLK0xj84pqYuXafkoSVgenHna3zAmIaTuJZA6cLi2VSgtJOmbMJ/eZWil3uEx+7JScL9mfntL7mbm9dVg=
X-Received: by 2002:a05:600c:2147:: with SMTP id v7mr1740893wml.101.1590542864959; Tue, 26 May 2020 18:27:44 -0700 (PDT)
MIME-Version: 1.0
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com>
In-Reply-To: <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 26 May 2020 21:27:33 -0400
Message-ID: <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007f2b8e05a6971e91"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/u0tx1kQrSuW_M1vPbJcGXtX5nwU>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 01:27:49 -0000

I like the idea of signalling DoT support in the DS record, but I worry a
bit about putting the SPKI fingerprint in the DS as well.  Having to update
the parent zone whenever the TLSA key needs to be rotated seems cumbersome
and fragile, especially if the nameserver is operated by a third party.
DoT authoritatives would need to keep both the old and new certificates on
hand during the transition, and DoT recursives would need some way to
signal in the ClientHello which one they are expecting.  This is pretty far
from how TLS normally works.

I wonder if you considered using draft-ietf-tls-dnssec-chain-extension
instead? That would provide the same security and performance, using less
volatile information in the parent.  Specifically, I think that the DS
record would have to convey one bit ("DoT enabled") plus the name of the
nameserver (which should probably match the NS record).  That seems
preferable to me.

On Tue, May 26, 2020 at 5:13 PM Peter van Dijk <peter.van.dijk@powerdns.com>
wrote:

> On Sun, 2020-05-24 at 17:36 -0400, Paul Wouters wrote:
> > I thought using keytag 0, which cannot happen normally, would allow
> > you to leave algorithm and other values more real.
>
> This comment made me curious. Why would that be true? So I generated
> 524726 keys equally split between algorithms 8, 13, and 15.
>
> The result: 2 algo 13 keys with tag 0, 7 algo 15 keys with tag 0. I've
> pasted them at
> https://gist.github.com/Habbie/feb0bf288ea1137bee5a2c3d8913ba7f (happy
> to provide the related private keys if anybody cares).
>
> None for RSA, though, which I bet was predicted in the work behind
>
> https://indico.dns-oarc.net/event/22/contributions/315/attachments/316/555/Quest_for_the_missing_keytags.pdf
> and
> https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email