Re: [dns-privacy] Authenticating DoT nameservers for insecure delegations
manu tman <chantr4@gmail.com> Fri, 28 September 2018 16:49 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C004130E6C for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 09:49:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmbfLReR3zbQ for <dns-privacy@ietfa.amsl.com>; Fri, 28 Sep 2018 09:49:54 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFD17128D0C for <dns-privacy@ietf.org>; Fri, 28 Sep 2018 09:49:54 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id x26-v6so1272116iog.11 for <dns-privacy@ietf.org>; Fri, 28 Sep 2018 09:49:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r0rtHKQf6D6BYSJhFiNwMvZVKE+UG0MYyehZgg4cXy8=; b=CQxMTSmJS0+VqdqIaGmIvSqzuK6fXib+7vmtl8iDIVqU9ckW1DECLeGOOVqqQx7bme WjZRB8GrrFwFr7WJNJSqg6niGlu3CALtLm5K5Rcsf2xzeFlyhxV+ARkH3fGfb8o/RxAO HaNitTM8+YxxdDGfsOesq8gOYFqSlsP2IB/rz7/D0ZAoazaz5Csv9hvVReLVwJUo8vl9 WbGuo3tY1nt380yh8H4pgm/pTTiHzyZTbs0bYoTjxee21J6RT9gbo1kjU8TYvb1fHlMv glU4bECo8fHUT1c7GY5AxHSNFLD7hXz8gXb82hO77EA++FaW7ZTliY3F4rlziLLfOyxV UqbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r0rtHKQf6D6BYSJhFiNwMvZVKE+UG0MYyehZgg4cXy8=; b=ZePRLEueTSkXkuTZxjX2+pZNLsZiG6RbILECt69GRbSpNwigw8mI/xY+jY7JCs+yCe Hwxdl+QdCZk7mgmyZBOP51LvvKP7H48Nd4enjk3CxrsBQCbCwbVguhjnZxin2lmbjZph bKmX2StbED0ahPrE0FRBj1fek4Rx/dl+UCxGjU180SGXnVw0z58gw+rHni/gBR908bvv 150AAussuNw28p4rC44+sTALYLcTqQN2rXueMJv84IiSx+wwBHj8r/765MGaI+97Ajpf YW/8RmRbOm9g1mMZXeyClIKPvMA+mA61vCg2dQkLHK3u11tZP1W3qv9pEwT8zajEr15e yLQA==
X-Gm-Message-State: ABuFfoipnKtjY91s34UDsQ+5GxPkBTxTb5Os8CBHYsXw5WUy7Ale47DU UMwt59f9jCSLBki05xKsk3zOLMDlvW8Z2bqgaMg=
X-Google-Smtp-Source: ACcGV61MvxadyY0c1smQ7CTcK6fMg/Byu2llpKH6xziCz26Q74mcuvCXWCOTqZFPRBo39yvZafzGbn5rM2Lvazkx0KU=
X-Received: by 2002:a6b:ba54:: with SMTP id k81-v6mr12038763iof.135.1538153393956; Fri, 28 Sep 2018 09:49:53 -0700 (PDT)
MIME-Version: 1.0
References: <A3763CC3-9D17-47EE-B434-B6D0D90E8AAF@icann.org>
In-Reply-To: <A3763CC3-9D17-47EE-B434-B6D0D90E8AAF@icann.org>
From: manu tman <chantr4@gmail.com>
Date: Fri, 28 Sep 2018 09:49:42 -0700
Message-ID: <CAArYzrLBpm1FWoV-PtVyh6XeGtsp1-H9O6ZdR238amH8e-USVg@mail.gmail.com>
To: paul.hoffman@icann.org
Cc: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a82e3b0576f13ee0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/wIX7SWVu3CwXnuJRH1REMk7JGQY>
Subject: Re: [dns-privacy] Authenticating DoT nameservers for insecure delegations
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 16:49:57 -0000
On Fri, Sep 28, 2018 at 9:09 AM Paul Hoffman <paul.hoffman@icann.org> wrote: > On 28 Sep 2018, at 8:32, manu tman wrote: > > > I have been thinking of a way to authenticate DoT servers for delegations > > that cannot be validated using DANE as describe in Stephane’s draft > > https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01 > > > > The idea is to leverage both DNSSEC and SPKI to authenticate a zone but > by > > relying on the parent to validate the public key. I have documented it at > > > > > https://datatracker.ietf.org/doc/draft-bretelle-dprive-dot-for-insecure-delegations/ > > > > Feedback is welcomed. Thanks > Thanks Paul, > > This approach (putting the SPKI in the parent) seems fine, as long as the > parent is signed. If I read it correctly, it would not work securely if the > parent is not signed, correct? > Correct, this should only works if the parent is able to sign its records and can be validated, which is what I tried to convey in the document, but I guess would need to be clarified based on your feedback. > Also, I disagree with the logic in Section 3.1 on using PKIX. Using PKIX > certificates does not mean using the same CA structure as the web PKI, and > trusting CAs for nameservers could be made a lot better than the current > CABForum rules. > Fair enough. I can take that off, this was mostly illustrative more than anything. Manu > > --Paul Hoffman