IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Paul Wouters <paul@nohats.ca> Thu, 28 May 2020 16:08 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DEF3A0FEC for <dns-privacy@ietfa.amsl.com>; Thu, 28 May 2020 09:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGP7sk4rPKlI for <dns-privacy@ietfa.amsl.com>; Thu, 28 May 2020 09:08:10 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E983A0FEB for <dns-privacy@ietf.org>; Thu, 28 May 2020 09:08:10 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49Xt0868ltzLhM; Thu, 28 May 2020 18:08:08 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1590682088; bh=RzMidN0oh92qj9xwuB6czYHLJFvOLUld80pWFfHQH+8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bXESgAnoilw3z5xrtyIjHbcBDtcw81eqH/u60dzIKZVMjObfeGAh+6FwtbBXD6cck P3qHvhFKbxVNcpyYTsjhg0UcwBxabysqOZtpR07XAj/iSLNPF6M3ksFZXqlKZ9uKy4 d7bH4HH0rIzHb1EYNzdD5PwopzXA7HhlYkg7Vg3s=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ok3h-7l6ZaMy; Thu, 28 May 2020 18:08:07 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 28 May 2020 18:08:07 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 892596029B99; Thu, 28 May 2020 12:08:06 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 852BB66B7C; Thu, 28 May 2020 12:08:06 -0400 (EDT)
Date: Thu, 28 May 2020 12:08:06 -0400
From: Paul Wouters <paul@nohats.ca>
To: Petr Špaček <petr.spacek@nic.cz>
cc: dns-privacy@ietf.org
In-Reply-To: <7a3cf14a-2ecc-1cf8-5542-5f359f17df69@nic.cz>
Message-ID: <alpine.LRH.2.21.2005281159030.16648@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com> <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com> <905a4ad6-1463-e340-77f1-0a6e75de0c18@nic.cz> <alpine.LRH.2.21.2005272151080.18445@bofh.nohats.ca> <7a3cf14a-2ecc-1cf8-5542-5f359f17df69@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/uzDCfAdDo2_dbiZ7oivnEFTRsQ4>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 16:08:13 -0000

On Thu, 28 May 2020, Petr Špaček wrote:

> Is there any indication that TLS libraries are going to implement this? (Unmerged patches do not count!)

I thought "indication" to implement would be uhm, unmerged patches?
Otherwise, it would be implemented already and you wouldn't need any
more indication?

> Having text in form of draft or RFC makes no difference if there are no widely available implementations... IMHO implementations should be done first before drafts become RFCs.

Aren't you an implementer? Are you working on this? If not, why not?

>>> - If I'm not mistaken authoritative servers implementing draft-ietf-tls-dnssec-chain-extension would need to add DNS resolver to refresh chain of records leading to TLSA records under their name:
>>
>> No. An external progam can update the blob and regularly rewrite it. The
>> DNS auth server can pick it up using inotify or something.
>
> You are effectively saying the same thing, just in other words.

No I am not. A dnssec-chain can be generated by one machine and
distributed to many auth nameservers. The auth nameservers themselves
do not need to do a single DNS recursive query.

> With your proposal auth server operators need to _also_ operate DNS resolver and tie it together with the auth server. That's very significant change from how authoritative servers are operated today.

That change is pretty minor compared to to including a whole TLS stack in
a DNS Auth server. Which btw, you could also do with a different program,
to minimize the traditional auth nameserver code.

Compared to hacking all code at nameservers and registries for mangling
and unmangled DNSKEY records, I think that is a very reasonable trade
of.

>>> b) Auth servers nowadays do not even know all their _names_ and do not care/need to know. How would we solve that?
>>
>> Whatever part talks TLS, knows the certificate it is using, and can pull
>> the SAN with FQDN from the certificate.
>
> Ok, hopefully there is not too much of them.

The whole point is that you point many domains to this nameserver, and
the TLS connection to the nameserver isn't configured with a different
cert per domain, or otherwise you might as well not offer any TLS
privacy to begin with. I really don't see the use case for this TLS
channel to have more than one TLS certificate chain to use.

Paul

v2.23.0 | Report a Bug | By Email