Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
Manu Bretelle <chantr4@gmail.com> Sat, 08 August 2020 01:56 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24993A09F6 for <dns-privacy@ietfa.amsl.com>; Fri, 7 Aug 2020 18:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2fGRtEfyHaq for <dns-privacy@ietfa.amsl.com>; Fri, 7 Aug 2020 18:56:45 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9313A09E7 for <dprive@ietf.org>; Fri, 7 Aug 2020 18:56:45 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id j8so3730399ioe.9 for <dprive@ietf.org>; Fri, 07 Aug 2020 18:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wDBSBHvkwIb0aPJOcTGy94iQ9TAU6krMVQUG+jJYoDs=; b=u0ESZO5Amq8uSjA5YWo/56rG2KSHOdCDq5M7usubEiKi4A25+ssihkpwoQYqdzAUSx Mp70f+2f6y3zs4qmfXA00TdU5tr7fllC5dG+vJL9TKRNytnw/eiErutagO55AQjIahXA 6vnUGHbJlVEKBHOcppUiGXNkb2UIzGCREfRM4w7iXh9QOkNYk/qJikoier0oUVtPE0yk GkA2LP1+08fBPY5hxWHeg2ry1/M7HF/0poCY6HI/j9tHF2fdEMMt/f0WB7KXX2+tV6Rw L4P/jDP/AEePYbIVhvnyY8XjEZSndkGMFJL0Y4EsFatY8Yl5lK/V1KXxpbkyOYL7dH2Z k74w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wDBSBHvkwIb0aPJOcTGy94iQ9TAU6krMVQUG+jJYoDs=; b=JleMSkfcNlwngmtTLabT0VVfHnYavZBMJWE5k6qbP9fiht47NjouZVkq016NH20V/Q 237ZHkJS3O9/uHtv66y3PTM0qaRWJQJlbvEk/j75hgCoh4Z5cU/SDgmE1D+Uu6lHh7my bTa/dTy1Jqsp0yTMWjBavWC3mqP2k0k9Q5Zdpgoi/b3WcQ46+VwNPDNF2ekzyTBjyDNg 39bvD+lPDgFx/Mndh/73O+fM23ccMThthkeq1HSM9djZaQLfyZTPlv0ZNZbZVqg7QO9e oqEpyfu+UkXX+lo+jf92sPHBcSzXJ2/VwVYO4aOF0ZYQrp+gjqgditpkinDioFKUd7HY Ayyg==
X-Gm-Message-State: AOAM530dl4ET/RjuAhZBI4mkHmZUh0MbrDaH7cU73XZlJEMNlX426dip RrGA5MZUvSs4iOY8o7aj+WDRyVU/LoniY3lFGmycgh1j
X-Google-Smtp-Source: ABdhPJxLXVc80wS1Ozpd+StNr3EYGIvvLy6rJ5h/124Z3XPAJWPoqNs+IztcwmgW19/oXkoyDeWN4YhtRQ4TDcB57KU=
X-Received: by 2002:a05:6638:419:: with SMTP id q25mr8104295jap.85.1596851804111; Fri, 07 Aug 2020 18:56:44 -0700 (PDT)
MIME-Version: 1.0
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org>
In-Reply-To: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org>
From: Manu Bretelle <chantr4@gmail.com>
Date: Fri, 07 Aug 2020 18:56:33 -0700
Message-ID: <CAArYzrKdAzsnQYMdSG-MB8M+aho6m3cBMpw78YZ1av9-xasCkA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008b06c305ac540895"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/x26HUok_bXssOarPpjUR4YvY1Cc>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 01:56:47 -0000
Yes. I think it is worth doing. Manu On Thu, Aug 6, 2020 at 7:59 AM Paul Hoffman <paul.hoffman@icann.org> wrote: > Greetings again. The following is a short text-based version of my slides > from last week's WG meeting. I'd like to find out if this is one of the use > cases that the WG would be interested in dealing with. > > Use case: Opportunistic encryption for recursive to authoritative > > In this use case, a resolver operator says “I’m happy to use encryption > with the authoritative servers if it doesn’t slow down getting answers by > much”, and an authoritative server says “I’m happy to use encryption with > the recursive resolvers if it doesn’t cost me much”. > > Opportunistic encryption is defined in RFC 7535. From the abstract: > "Protocol designs based on Opportunistic Security use encryption even when > authentication is not available, and use authentication when possible, > thereby removing barriers to the widespread use of encryption on the > Internet." > > The assumptions behind the use case are: > • More encryption is good for the Internet > • Resolver vendors are smart and motivated > • Most resolvers don’t validate with DNSSEC and may never want to > • Authoritative operators don’t care much about encryption, but some would > turn it on because more encryption is good for the Internet > • Other use cases for authentication stronger than opportunistic may > appear and would co-exist with this one > > The other slides had thoughts about possible solutions that implement this > use case, but before we go there, I wanted to find out if more than a > handful of people here are interested in this use case. If so, I could turn > the above into a draft with some possible solutions for us to bang on. > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Possible use case: Opportunistic en… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Ben Schwartz
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… John R. Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Tim Wicinski
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Manu Bretelle
- Re: [dns-privacy] Possible use case: Opportunisti… John Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Ask Bjørn Hansen
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Ebersman
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] [Ext] Possible use case: Opport… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Tony Finch
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- [dns-privacy] TLSA for secure resolver-auth trans… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Vladimír Čunát
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Ilari Liusvaara
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] [Ext] TLSA for secure resolver-… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Vladimír Čunát
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Viktor Dukhovni
- Re: [dns-privacy] TLSA for secure resolver-auth t… Peter van Dijk