IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Requirements for authoritative server preferences

Paul Hoffman <paul.hoffman@icann.org> Wed, 04 November 2020 15:07 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670BE3A0C96 for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 07:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZ-QR8Datd7t for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 07:07:31 -0800 (PST)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E03C3A0B73 for <dns-privacy@ietf.org>; Wed, 4 Nov 2020 07:07:31 -0800 (PST)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa2.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 0A4F7TIM004446 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 4 Nov 2020 15:07:29 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.659.4; Wed, 4 Nov 2020 07:06:54 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0659.007; Wed, 4 Nov 2020 07:06:54 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [Ext] [dns-privacy] Requirements for authoritative server preferences
Thread-Index: AQHWsrwhz5BA5PcAK0ufGbJhmgwWfg==
Date: Wed, 04 Nov 2020 15:06:54 +0000
Message-ID: <27327D53-F497-413C-B033-56C40586186A@icann.org>
References: <160435765311.18774.16063151114758509438@ietfa.amsl.com> <1E8597EB-C856-4DC9-A42D-8B2142501C7A@icann.org> <20201104083712.GB6824@sources.org>
In-Reply-To: <20201104083712.GB6824@sources.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_9642CD62-1321-4342-B1C6-B1EF08C4B0CE"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-04_08:2020-11-04, 2020-11-04 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ysDAo48h54FuQTeImQfv0LJhJLo>
Subject: Re: [dns-privacy] [Ext] Requirements for authoritative server preferences
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 15:07:32 -0000

On Nov 4, 2020, at 12:37 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> 
> On Wed, Nov 04, 2020 at 02:15:03AM +0000,
> Paul Hoffman <paul.hoffman@icann.org> wrote 
> a message of 114 lines which said:
> 
>>        In addition this SHALL include whether a secure transport protocol
>>        MUST always be used (non-downgradable) or whether a secure
>>        transport protocol MAY be used on an opportunistic (not strict)
>>        basis in recognition that some servers for a domain might use a
>>        secure transport protocol and others might not.
>> 
>> It is impossible for a server to tell whether a resolver is authenticating, so being able to say "you must authenticate" is kinda just posturing. The choice of whether or not to connect should always be with the resolver. Further, if a resolver is using a mechanism that requires strict authentication, it truly doesn't matter what the authoritative server has said it wants.
> 
> Nevertheless, hints from the authoritative name server can be useful,
> such as "You should use DoT in strict mode but there is also a DoH
> service which is quite experimental with a self-signed
> certificate".

Such hints could indeed be useful. I don't see them as a requirement, particularly if that requirement delays increased privacy or, worse, makes it harder to deploy.

> Other IETF protocols have such hints from the
> authoritative side about what the client should do, even if they
> cannot be enforced (RFC 7208 for instance).

SPF is an excellent example of a protocol that has made things more fragile while intending to make them more secure.

> Is it worth the complexity? I don't know but it is not useless.

Fully agree.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email