Re: [dns-privacy] how can we ADoT?
Peter van Dijk <peter.van.dijk@powerdns.com> Thu, 19 November 2020 12:17 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8A33A0C9E for <dns-privacy@ietfa.amsl.com>; Thu, 19 Nov 2020 04:17:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QysCKexmcwhW for <dns-privacy@ietfa.amsl.com>; Thu, 19 Nov 2020 04:17:52 -0800 (PST)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A773A0C99 for <dns-privacy@ietf.org>; Thu, 19 Nov 2020 04:17:52 -0800 (PST)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 3D1076A2CF; Thu, 19 Nov 2020 13:17:50 +0100 (CET)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 1CAA73C0404; Thu, 19 Nov 2020 13:17:50 +0100 (CET)
Message-ID: <c80546ad48888c0bd4ba30e0866706686187927f.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Thu, 19 Nov 2020 13:17:47 +0100
In-Reply-To: <alpine.DEB.2.20.2011182233220.26481@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.20.2011111856160.17264@grey.csi.cam.ac.uk> <68a48d20bc23da7e30b50639b74fe2ed48ddf6f6.camel@powerdns.com> <alpine.DEB.2.20.2011170006580.25321@grey.csi.cam.ac.uk> <73abac2db221cd67abfb1e5860e2bf8566694318.camel@powerdns.com> <alpine.DEB.2.20.2011182233220.26481@grey.csi.cam.ac.uk>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/wSk3l38yU9yf1M-56CckAaMDrD4>
Subject: Re: [dns-privacy] how can we ADoT?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 12:17:54 -0000
On Wed, 2020-11-18 at 23:09 +0000, Tony Finch wrote: > > > * Authenticate the server by `subjectAltName` `iPAddress`. [snip] > > > > For DOTPIN, Ralph Dolmans had the bright insight to suggest not sending > > a server name at all (which matches what I said earlier - name servers > > have IPs, not really names). > > Do you mean not sending in TLS SNI? Yes, that would make sense if we're > not doing name-based auth. Yes. > > > * Ignore certificate name mismatches, and authenticate just the public > > > key. [snip] > > > > As above. (Not saying that it is the only way, but 'a name server has > > no name' has a lot of convenient properties.) > > There's another downside to this case: with IP-based or name-based auth, > you can put the CA's public key in the TLSA rather than the server key, so > there's less rollover churn, but that doesn't make sense for key-based > auth. Ah, of course. Then you have the downsides of TLSA with the downsides of DOTPIN. > I think there are significant (albeit woolly) advantages to staying as > close as possible to normal webPKI for DoT: much lower congnitive load for > operators who can reuse their https knowledge; deveopers don't have to > write code that's too weirdly different from https; very straightforward > parallel deployment for DoT, DoH, DoQ (if we ever want to support more > transports). That makes sense. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- Re: [dns-privacy] how can we ADoT? Eric Rescorla
- [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Hollenbeck, Scott
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Brian Dickson
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Manu Bretelle
- Re: [dns-privacy] how can we ADoT? Stephen Farrell
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? (with github u… Manu Bretelle
- Re: [dns-privacy] how can we ADoT? (with github u… Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk
- Re: [dns-privacy] how can we ADoT? Tony Finch
- Re: [dns-privacy] how can we ADoT? Peter van Dijk