Re: [dns-privacy] Some additional signalling ideas
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 05 April 2019 12:12 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2F9120405 for <dns-privacy@ietfa.amsl.com>; Fri, 5 Apr 2019 05:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19D7QhrO1257 for <dns-privacy@ietfa.amsl.com>; Fri, 5 Apr 2019 05:12:52 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 636711203FC for <dns-privacy@ietf.org>; Fri, 5 Apr 2019 05:12:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 404A2CE4D; Fri, 5 Apr 2019 15:12:49 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id mDPx0jqSH6DT; Fri, 5 Apr 2019 15:12:48 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 7FDD427B; Fri, 5 Apr 2019 15:12:46 +0300 (EEST)
Date: Fri, 05 Apr 2019 15:12:45 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: dns-privacy@ietf.org
Message-ID: <20190405121245.GA88903@LK-Perkele-VII>
References: <CACsn0ck-SNweieak5Fn7TOLLZTvsQNo6+w3nezxKuZPq0Z4QNA@mail.gmail.com> <20190331142202.GA2307@LK-Perkele-VII> <F7308B81-4FC5-4691-9AB2-5ECB00983258@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F7308B81-4FC5-4691-9AB2-5ECB00983258@powerdns.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/u3NK6j6t5xYoMqy5VjgWtz-8aB0>
Subject: Re: [dns-privacy] Some additional signalling ideas
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 12:12:55 -0000
On Fri, Apr 05, 2019 at 10:50:35AM +0200, Peter van Dijk wrote: > On 31 Mar 2019, at 16:22, Ilari Liusvaara wrote: > > > DS is signed, and has algorithm field. Supposedly unknown algorithms > > are ignored, but there are buggy nameservers out there that break if > > all DS entries have unknown algorithm. And turns out abusing DS > > records also runs into issues with "cloud" DNS provoders. > > Do you know of any name servers out there that have a problem with it, other > than Knot Resolver, 1.1.1.1 and 8.8.8.8? (who all should be fixed soonish) No. And yes, apparently 1.1.1.1 has problems with it. > > Adding another RRtype with needed magic properties would take Standards > > Action (as expert review requires RRtype not to be magic) and then > > updating parent nameservers to be able to deal with the RRtype (since > > it can not be generically handled). And trying to add extra fields to > > NS or DS is sure to cause horrible borkage. > > I think adding fields might be even more painful than adding a new type. > Neither seem feasible options to me. Yes, that sort of thing is not going to be feasible. > > Adding records at child side of cut has its own issues, namely that > > retroactive authentication can be annoying to implement, and it is > > more difficult to make the thing work without full DNSSEC chain > > (glue records, if parent supports that?). > > manu’s proposal explicitly targeted unsigned delegations, which I also think > is an important use case. > > Glue records are never signed. Well, one could get weak authentication if parent supports authenticated transport. The issue with retroactive authentication is that it is annoying to implement in way that is not trivially broken. But it is certainly possible to implement. So it is preferable if authentication credentials can be obtained either before starting handshake, or stapled into the handshake itself. -Ilari
- [dns-privacy] Some additional signalling ideas Watson Ladd
- Re: [dns-privacy] Some additional signalling ideas Ralf Weber
- Re: [dns-privacy] Some additional signalling ideas Ilari Liusvaara
- Re: [dns-privacy] Some additional signalling ideas Watson Ladd
- Re: [dns-privacy] Some additional signalling ideas Paul Wouters
- Re: [dns-privacy] Some additional signalling ideas Alexander Mayrhofer
- Re: [dns-privacy] Some additional signalling ideas Stephen Farrell
- Re: [dns-privacy] Some additional signalling ideas Alexander Mayrhofer
- Re: [dns-privacy] Some additional signalling ideas Tony Finch
- Re: [dns-privacy] Some additional signalling ideas Peter van Dijk
- Re: [dns-privacy] Some additional signalling ideas Ilari Liusvaara
- Re: [dns-privacy] Some additional signalling ideas Ralf Weber