IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Peter van Dijk <peter.van.dijk@powerdns.com> Tue, 26 May 2020 13:24 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE3E3A0F4C for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 06:24:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id foqJGwZroi7m for <dns-privacy@ietfa.amsl.com>; Tue, 26 May 2020 06:24:01 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5D503A0F4A for <dns-privacy@ietf.org>; Tue, 26 May 2020 06:24:01 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id A44D06A24E; Tue, 26 May 2020 15:23:58 +0200 (CEST)
Received: from plato (e82143.upc-e.chello.nl [213.93.82.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 78BE53C0447; Tue, 26 May 2020 15:23:58 +0200 (CEST)
Message-ID: <aa745f51e4b7fd0955ae9e444416772b32c75dbf.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Tue, 26 May 2020 15:23:57 +0200
In-Reply-To: <36E4371F-BCBE-43F7-9D4B-8439B3FF1D2A@isc.org>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <36E4371F-BCBE-43F7-9D4B-8439B3FF1D2A@isc.org>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zLMta1QQ0JvFmXtn6GHDg3HbjdM>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 13:24:04 -0000

Hello Ondřej,

On Tue, 2020-05-26 at 09:10 +0200, Ondřej Surý wrote:
> >    Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
> >    then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's
> >    owner name MUST be the name of a zone.  If bit 7 has value 0, then
> >    the DNSKEY record holds some other type of DNS public key and MUST
> >    NOT be used to verify RRSIGs that cover RRsets.
> 
> and also:
> 
> >    The DNSKEY RR is not intended as a record for storing arbitrary
> >    public keys and MUST NOT be used to store certificates or public keys
> >    that do not directly relate to the DNS infrastructure.
> 
> So, while my first though was same as Paul’s - this is abuse…  I came to
> conclusion, it actually isn’t.
> 
> That said - I think this needs some modifications:
> 
> 1. Bit 7 of the Flags fields needs to be 0.

Definitely - it is not explicit but the examples in draft -00, and the
PoC code, all use 0 for the flags. In 
https://github.com/PowerDNS/parent-signals-dot/issues/20 I noted
earlier that whatever flags we might need, it's definitely *not* ZONE
and SEP.

> 2. This needs a new Protocol number

I understand why you would say that, but I'd love to avoid doing that.
I wonder how much 'IETF' pain specifying another protocol number would
be, but what worries me more, ironically, is how it changes the format
away from normal DNSSEC. The draft was written such that a lot of
existing software needs no changes at all - I don't know if changing
the protocol number is compatible with that goal.

> 3. And since we now have non-„DNS zone key“ with a different protocol we might get a separate IANA registry for the algorithms (if needed).

We liked this, until we realised it will be painful with DS records.

Because the protocol number is not visible in the DS records, a 'pin
signal algo 8' and 'DNSSEC RSASHA256' DS are indistuingishible from
eachother. While validators should accept this, it will make tools like
dnsviz very hard to use if assignments between the existing and this
new registry overlap. So, we'd have to state that the two registries
may not issue overlapping assignments, in which case we might as well
stick with the one registry we have.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email