Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Peter van Dijk <peter.van.dijk@powerdns.com> Sat, 23 May 2020 17:59 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2F13A0BB8 for <dns-privacy@ietfa.amsl.com>; Sat, 23 May 2020 10:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzpWZjhz0C47 for <dns-privacy@ietfa.amsl.com>; Sat, 23 May 2020 10:59:43 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9575F3A0B71 for <dns-privacy@ietf.org>; Sat, 23 May 2020 10:59:43 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id B4D526A241; Sat, 23 May 2020 19:59:40 +0200 (CEST)
Received: from plato (ip545136af.direct-adsl.nl [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 800563C004B; Sat, 23 May 2020 19:59:40 +0200 (CEST)
Message-ID: <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Sat, 23 May 2020 19:59:39 +0200
In-Reply-To: <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zZyLchU2A8csKAr5fas12xD-zf0>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2020 17:59:45 -0000
On Tue, 2020-05-19 at 11:46 -0400, Paul Wouters wrote: > On Tue, 19 May 2020, Peter van Dijk wrote: > > > The draft is managed on GitHub in .md format at > > https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin > > We first added the KEY RRTYPE in the 1990's to allow generic public > keys in DNS. Then the DNS (and CA) people got upset at the KEY record > being used for something else than securing DNS. So KEY was obsoleted > for DNSKEY that signified it is for DNSSEC only. And we are forever stuck with a '3' that I keep forgetting the meaning of :) > This draft now tries to shoehorn a TLS key into the DNSKEY record. > > A much cleaner solution would be to use a proper TLSA record. If you > want to signal securely within DNSSEC that encrypted DNS is available, > use a DNSKEY flag on the existing DNSKEYs to signal that (similar to > the DELEGATION_ONLY flag). You only need 1 bit and TLSA records - which > are port specific - can be used to signify presence of DoT or DoH. Or > if you want to support both on port 443 for middleware circumvention, > you can use _dot and _doh prefixed (eg _443._dot.nohats.ca IN TLSA <blob> As I remarked in my reply to Jeremy, I spent quite some time thinking about how to do the signalling&pinning with actual TLSA records, but I never ended up with a satisfactory solution. https://github.com/PowerDNS/parent-signals-dot/blob/master/README.md has some terse notes on fitting TLSA to this problem. Perhaps we should add similar notes to the draft in a not-for-publication section? For your specific proposal, how would I see the DOT_TLSA flag on the nohats.ca DNSKEY without first querying for that DNSKEY over a plain text connection to your name servers? Also, as Petr pointed out, our DNSKEY/DS-based proposal does not involve additional queries and thus roundtrips; as far as I can imagine, anything using TLSA would need extra queries. > The TLSA records can also be of different types, so you can pin the TLSA > record to a pubkey, certificate or specific CA. This would allow the DoH > or DoT maintainer to change/update their keys witout needing to update > or have access to the DNSSEC signer to update the DNS. In our 'emulation' (or perhaps re-syntaxing) of TLSA, we explicitly chose to only map TLSA Certificate Usage 3, because all other forms require that you are confident about the name of the remote end you are connecting to. As delegation NS records are not signed, those usages would be susceptible to attack if the TLSA records are not somehow tied to both the delegated domain name -and- the names of its name servers. '_443._dot.nohats.ca' (ignoring, for a moment, that it lives in the child zone and thus is not available when the resolver needs it for safely connecting to the nohats.ca name servers) does not tie itself to the names of the name servers, and thus cannot support anything other than TLSA Certificate Usage 3. Of course, I've had to read between the lines of your proposal a bit, as it was specified very tersely. If you, or somebody else, comes up with a fully fleshed out proposal based on TLSA, I would be very interested in reading it! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine