IETF Logo Mail Archive

[dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Paul Wouters <paul@nohats.ca> Wed, 03 June 2020 15:51 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A54E3A0D98 for <dns-privacy@ietfa.amsl.com>; Wed, 3 Jun 2020 08:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Sy_gr6e5VCL for <dns-privacy@ietfa.amsl.com>; Wed, 3 Jun 2020 08:51:12 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD59D3A0D96 for <dns-privacy@ietf.org>; Wed, 3 Jun 2020 08:51:12 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49cYKn6wByzM87; Wed, 3 Jun 2020 17:51:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1591199469; bh=mc1FLTfSK7USt/hVxRCc3aF8mk0ofqyS9z860Fs0jRA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=NZAti6KpKN7tUXPWqUe3odXJARFJWEXM05HQQIVUZqSpIQQQ6E2TWgGUSgfNiw3+w aqoHBed6aCmW0+OZAhk4gKBIPn4VJyKxQY+qJxJrqehJlbbwN+bNXcq55mZ4lgvnlx KCpmkBkdcy9ftrKKG5PI7O6XOkYOv3lvQha8d0kQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gnuUJwLZixgd; Wed, 3 Jun 2020 17:51:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 3 Jun 2020 17:51:08 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 70C3C6029BA2; Wed, 3 Jun 2020 11:51:07 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6D2B766B7C; Wed, 3 Jun 2020 11:51:07 -0400 (EDT)
Date: Wed, 03 Jun 2020 11:51:07 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@powerdns.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>
cc: dns-privacy@ietf.org
In-Reply-To: <1b323302a42ea7559b9d76b041d4ebef15ac20cc.camel@powerdns.com>
Message-ID: <alpine.LRH.2.22.394.2006031140570.9753@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <eaf5d580-ec3c-bf7e-2987-cc03ebcde80a@huitema.net> <1b323302a42ea7559b9d76b041d4ebef15ac20cc.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ynMI5b-UOj-jE36drrmUQGFKZxg>
Subject: [dns-privacy] re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 15:51:15 -0000

On Wed, 3 Jun 2020, Peter van Dijk wrote:

>
> We have definitely thought about that! The way this signaling protocol is structured means that we cannot see DNSKEY flags until we have established some encrypted connection (in our case, DoT). So flags are out. I think it would be simplest to allocate one 'algorithm' number per protocol. This would also allow protocols other than DoT to perhaps use the various DNSKEY/DS fields for different semantics.

I had a discussion with Viktor Dukhovni about the concepts of the draft.

We kind of came to the following conclusion:

If you need EPP and/or Registry and Registrar support for new things,
this is not really going to get deployed at scale. (and we need scale
to hide)

Syncing between domain owner and nameserver operator for public keys is
basically impossible. While it might work manually for one domain,
imagine GoDaddy or Cloudflare wanting to change their DoT key. They have
to get all their domain DS records updated. We can hope for CDS, but is
that realistic?

All of the draft (storing DoT signal plus pubkey in DS record) is
basically the same as storing this in a TLSA record at the nameserver
name, except it saves a few RTTs. But saving those RTTs is really not
that important if you do this at the large nameserver hosters, for which
a recursive presumbly already has a working DoT connection open because
it is serving so many more other domains.

It really makes much more sense to signal the capability of nameservers
with nameservers, and not with the domains they serve. Then if someone
uses ns0.nohats.ca, ns1.cloudflare.com and ns2.godaddy.com, those
hosters can all maintain their keys themselves and update their
nameservers without needing to inform or get consent from their millions
of domain name owners.


So we kind of concluded this was a neat hack, but we shouldn't really
think it leads to realistic at scale stable deployments.

Let's just use TLSA records on the nameservers. It is logically where
this information is authoritative for.

Paul and Viktor

v2.23.0 | Report a Bug | By Email