IETF Logo Mail Archive

Re: [dns-privacy] [DNSOP] DNS stamps

Ted Lemon <mellon@fugue.com> Fri, 10 January 2020 18:03 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75014120A81 for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jan 2020 10:03:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FiNRQBzR8gU for <dns-privacy@ietfa.amsl.com>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BA8C12087E for <dns-privacy@ietf.org>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id x185so1495530pfc.5 for <dns-privacy@ietf.org>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Xq2BYymnf/Nn0R8UexhZpVFF8NQjIwLn63BuNwH5TfA=; b=0owml/X3c3KNz2Bbhq1MpuvY45O+M9/O2H9VOomZuKVvII/TM0rkJD5VNwHShzmJQ3 NsWEk1cwZeec7hyxcxtF9nZDvF2Y2D2Jo+1ImgI2D44w9fP/wuCb0QeNZuNv8F6M+5JT 1VydEKhM9DJoXXcfemIhWF+zzQCgEHo19bde9k4rQAtwcKMl8LKjvNZlLjUvBDIet04g cmVFAr3Q9z9/p5nLvgTTkjfl+X1ywgNLMv1Po/cj8yet2PdzHQ8FtNDlZbAss3QJIaoB rxCHFYW0tw/KguGqS2M36UbrkfjiwpcASb0wPD50+swDcjva4NsvGiT39J7AGOrn+Zt9 DOSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Xq2BYymnf/Nn0R8UexhZpVFF8NQjIwLn63BuNwH5TfA=; b=rPVey3Lf6DU1St30kLPkBGGnbHLv9iRqJSoEeq6BJjFGbnSI7iPBNMfwQFVe0LW6Na unL+BI+nPZ9mzmbAntKlzqERVId83OfMlJyyfktvh5oo9zYlO7iwCG9erAC2Q0RYve0l UCighFxKzVpbnNzKrwJWPjhBQLD7FytkldQRTBr7RF+3MgQsVvx7pgOrqhDKvdC8VVX0 Rac9Ugz092pCij5V+CQ+Ix9+O+9gBan80rJo47yr79pJJv3hefjnJWVc1PJMjuprC3vz Y0JY/fOVZiPCOH547Q1rhg79h+FNuaWOP08LYAAeMJN/vglxyGeMM9bzQuxdjTRLqu9Q S6Jg==
X-Gm-Message-State: APjAAAVO3hG0Fl5gKwrd/kTd7lBktzteiUKcYJ7zMa5XuP2cdqSARYbV EBB8qc35awoh0vb6ik4gdvr/AA==
X-Google-Smtp-Source: APXvYqzKSslqSPVc9ffSHk/oy7TIai2RnWsJICTRAwu11OWMZOOahzme4eRwaIhW3I/IyEYVhNLVHw==
X-Received: by 2002:a63:6507:: with SMTP id z7mr6034989pgb.322.1578679414615; Fri, 10 Jan 2020 10:03:34 -0800 (PST)
Received: from encantada.scv.apple.com ([17.192.170.45]) by smtp.gmail.com with ESMTPSA id q11sm3724689pff.111.2020.01.10.10.03.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Jan 2020 10:03:33 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.4\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <B2CA0A24-7F5F-4B3C-A59B-D5C3DAA95ADC@gmail.com>
Date: Fri, 10 Jan 2020 10:03:32 -0800
Cc: Vladimír Čunát <vladimir.cunat+ietf@NIC.CZ>, dns-privacy@ietf.org, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9E7B39B-87F5-4D42-B418-D1FACE3DFB91@fugue.com>
References: <20200109143554.GA24757@nic.fr> <B0E87CB4-7CD4-4A12-A58C-1A3BEF104540@fugue.com> <c5e55d18-26b5-6103-7f86-031d2699ff42@nic.cz> <DD5E13AA-8CB1-4698-8892-FF9C470FCDC0@fugue.com> <addcd575-994c-250e-28c9-24b26ebf7244@nic.cz> <B2CA0A24-7F5F-4B3C-A59B-D5C3DAA95ADC@gmail.com>
To: Dan Wing <danwing@gmail.com>
X-Mailer: Apple Mail (2.3608.80.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/uKaPpNZxbuvTkq9gD_H2C0tqO4w>
Subject: Re: [dns-privacy] [DNSOP] DNS stamps
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 18:03:36 -0000

On Jan 10, 2020, at 9:45 AM, Dan Wing <danwing@gmail.com> wrote:
> The signature could be retrieved and validated separately from the stamp itself.  For example, after getting the DNS stamp, retrieve a well-known DNS object (TXT, new RR, whatever) which is signed by the external entity.  That would keep the signature short and keep the problem away from the signature.  With that, DoH could obtain the signature from the TLS certificate itself, if we wanted, rather than by retrieving a (DNS) object

Sure, if the stamp had a validation process, that would address one of the issues I raised.   :)

v2.23.0 | Report a Bug | By Email