Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
Brian Haberman <brian@innovationslab.net> Sat, 08 August 2020 18:57 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B1973A0C82 for <dns-privacy@ietfa.amsl.com>; Sat, 8 Aug 2020 11:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.846
X-Spam-Level:
X-Spam-Status: No, score=-2.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=innovationslab-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlO3X-Me7cBO for <dns-privacy@ietfa.amsl.com>; Sat, 8 Aug 2020 11:57:05 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ADAA3A0C84 for <dns-privacy@ietf.org>; Sat, 8 Aug 2020 11:57:05 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id l6so4768152qkc.6 for <dns-privacy@ietf.org>; Sat, 08 Aug 2020 11:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innovationslab-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to; bh=/8hv2z8ZDhoFVM1ssRphr5+W5Zs+ILlJv6CQ2nCGmK0=; b=ocgkmBF8JrWacmDVSp2Q7DWvo0iJRiwpuJ+lp4b0fgQKUH6FoyeMYnehjZTcgnmmZB 1402iS9pxedhS/mQW0wAug1gKqDmFT2m+oRjtaMM9hdfAZwkdMgOrZ+UOGSlcZLD6QOM KRH4OpmdZGk/yntqfuKNgzKSjZGIxVDIQ/JvqYIcYs44F5M1jBtDKA8KJ6YesCVZYKDi IcwMEcKNu+MpGgakoiH5N1UbGevq3Qa4dpeZn2nPJp9GbXiRmf2EGnzCxSCCjZleNxRw dkbwT5lA1tyxkD/bV4Zv6Rksv8fpdfRy1JRbGnRXaXXDU0jnTbW4ofyTS7Ya8gCgi77z otXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to; bh=/8hv2z8ZDhoFVM1ssRphr5+W5Zs+ILlJv6CQ2nCGmK0=; b=OkvJWpYjCOvJrMPcfQwYLAzPWMBpnVEp+xH3DKDxGqeP1RkmAApKTSJPzNU8S9vfKK TJ7B7AvEclzpaBvNohUQWgA7ln8Oi4T7/tGQu4B3Mneq0YRMWFSDqWHD2ejnG9wpcCCE U09bYTzNyQDYoZILPeJbwQsqTFQzyXUbh3rd60Eki2Q4FNRV7QGxMNQiAhtxRIesz68r Oj1aKZeA+FqKr6CBiFo3mmHoQVpv3eDCkKmgB176xPvf0sfGb0zGzidaMp4zuXiqdrfU Z+ETBBKxTe5hqZgRCVtNe3+aZ68tpNQ3SGOiMM4wB4a6QR76l6AiRYQyk6EBcsvbiFkR C9BQ==
X-Gm-Message-State: AOAM530hYuDGnhenJ/GaYcV9txhsWENgCYMCYuLSalXQWRAaRKzj2h1x GGMlEXSWqqDsT2rS2/ne2E189ucyf6+Xrw==
X-Google-Smtp-Source: ABdhPJw7CWesVbLUlHsReaUcFIfHKCP4ss1BT7wio3jXMU1/U8Xpwd44aiaIdhIOg8zQjd3shRdZ2Q==
X-Received: by 2002:a05:620a:4ec:: with SMTP id b12mr19631758qkh.266.1596913022567; Sat, 08 Aug 2020 11:57:02 -0700 (PDT)
Received: from LakeHartwell.local ([2601:154:c001:f99e:484e:5964:b2cb:182e]) by smtp.gmail.com with ESMTPSA id d20sm9566713qkk.84.2020.08.08.11.57.01 for <dns-privacy@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 08 Aug 2020 11:57:01 -0700 (PDT)
To: dns-privacy@ietf.org
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org>
From: Brian Haberman <brian@innovationslab.net>
Autocrypt: addr=brian@innovationslab.net; keydata= mQINBFm5KgYBEACs2icafejrG19L5DRNFq8Q2O+K+LRxjR4qAElZDnXFXNA2ipFWPeT0J2wa KJ+h9UdfhDm8DzULB553CYm+Q3XF1N56TglkIRMZYc7mYXZEr3x7e4fmX4kD4qMjBLG8cL26 rEe3Q0qaiMGY69/4o5coVMT0qmHjgCH1tkG+L2Y8MKr1gFxS18eO8MVoWe1yDKuyxFSElHGB 3mZn4gcqeCaemPGG3CiVNlp4KnijpNcSgvseXbkQEA4IXEsIvUL8MIwOTXg9Gh5cbtisZpuf +4B0LNMUSqWlqyKd9M3KCMj+dW4vsFytc00Z+GyQ+ArOR9GwTdAwJ5qqVODTvbjKqOR1zolJ 1JxLUtSiv7Lx5x2OrCexPYXkzlTkjG9Imtg2XNh55R/JKMC3KU1NQL3nS9tJXeoRWNgWSZrG MsrbeejbqLVb9LblXNpgLciJ96XHMvYAXX7p4LAwivzSRrVg46vErYIAV6EvDvwVENWW8JCU 0vX5iTGfkEwU4KxCa7WAmmD8yiNspHP1J0uk93Sta5K0PuTi7b+EZlCjdrqOEWLGPv6qXlIu FwLLcCaDs3XdVvwgNM+UFRxFH1aOVQQKCiCOCcNlwgYG1u4ZbD2T6hd/d2tOAKu/MNnQVF7d Cfi2BtSjzglLcY61e37zqTM04BgU+LniZ7V99yneM6DM2UzgkwARAQABtClCcmlhbiBIYWJl cm1hbiA8YnJpYW5AaW5ub3ZhdGlvbnNsYWIubmV0PokCQAQTAQoAKgIbAwUJB4YfgAULCQgH AwUVCgkICwUWAgMBAAIeAQIXgAUCWbkqSAIZAQAKCRBo1jycU9GLYQixD/9UX0uiAvbJ+4dK z3Ne3kUdDK0Lk73RGfFgE/ezsc9I6ED82h+arC8pAoDnBWgzTxugZdbexek983bgMq02XFsG pJf7hudeKnB8UmtjTc0j1UUgi129FYyBmINS2Lz1gpEOygFfbeOGLJK5qZJwD3I3O6yN8SUZ uwahXXd1aEB+d1eGhNqxkjQ+L7vdfTlN662GWog3ROMwUbrg0+QAbn/Vlp2iIYO6VERUZ9Yr GfFJX9b9LKa6AHxzAaqFIix1h2wBiIacpIBGU/4+3+wL5zkCbGSRzoIHW8srllj7ehgwwfNx QevibuZWJ4XpHpIxrtsmBO7ERFk8pN7oiQ9M3b2Cg9OBD5vgxyMCHEKIblWyKz8GLtz5357L ORU1EBWB8BoJPBHz3u7bZE+jH9+w5PpI087Ae78KCDkTNj7o2wbkRoYLmLpMo8DOwAumyy5R 2DuRu0cn5Rw5pFjlJkyfM0Wf80Ml/SINrUORWeqSbsHSX8i+Y0Oyt5JNo9NFbgN0Gn/Qo364 I8cLgbvUAyFHwhnmbHB+QXFCGAy73NOQ+g2fCRPeSbihhYa34ugfmd4oa6W2w805ixzM7iGr P+wDB1dhA7eHKVmoo9Kxvm9VzU+2homYGEROd/H6n0BMvWtp1oFh/JvEgZN6dVLg3p+XX5Zj Ggy568bIY4P5kP7pAxh017kCDQRZuSoGARAAtCWxW1cRne/iGbFuibvB8d3upcbCB7oz4LWk LSE20Db2ymn04ici9V+wBSWX57me5jQdwMi/gzVVZcupbzWTg5Yhv7Qt7CKORJLEKo6nULbb 4aEpdOXD9s7wwx+foFjzjtDOH/JYoB+OEe2oW39VmK6EsIx7ClsLf6+cih5yApZHtmV+2M3J YSxD2kCUE619ITFLAkMf203ap5vJ6DDaaKnVoNhF9qV7jlJEceGqHTBG4KkBX/zNCehMIfhr ViY/B2IWAHeuZ99lnCPx2mehGGa4XLjQauUkY9KB7dOq/ODyt+7SL0dfWrOVf3BnU3C308b4 9YdId8KI4dJ30nfXn6ifTK9STZHZE+Mt1sIVmtEguqMXEk/axZmT14x194c7ZPmU/uCQTE3U y1NFs4Yof50WF1ze0CyN2ycmqx11mHjP5+L23TqcdIWmJG+EtdHUAFpu42kbB0fML3Oc/cEU SmWK3WpF5YPljLM2gyh3RXjuiBnaGoJaKTOj5zXQ2G2l3/ijbn9FbqmFup+R352dxUyakXEP xNe3HdyjfyUcy/RJNeZz/lgUIhkxWQjOOU1RIN41RtCKcF9tJjMwgQvI51QmPvf90/6ab3I/ vwEpjlRb4AbuWfPWe89J+Z3TG97V9sntlMcQ6MGiPLbyFpiXIf2150e6FxZdJtipVwY2d/kA EQEAAYkCJQQYAQoADwUCWbkqBgIbDAUJB4YfgAAKCRBo1jycU9GLYfy0EACYrxb4nWtOnIu0 N7rXXo/0ZjaBTyUhJ6hzy2D7rt3vv/qj2ui+N21ui/yMDS928za/XRfP25qN9A1puioHqN4l SAsxwCC3mT9GJXVXVgivg3MeciqBXoOdnk1hUkP1CTKL3qZ9pSuw8bPlNE7+b1xF7Oce37YH +QRVmBXbGwTxtDTCZ9Js0/IpiUtg9QCfmryB1r/fD0TFb8b9aCBuVeKocWSuX9UXRt7zRGM8 BJwOLvdLdGvV8us1imlBKFLai4L8CPgihuc/s7ZB0r3pgW697hXScWhGHF3OUWbPFVkNyivM xtDcq+9ZlUMrxFbwUEABi8NFwvzwn+YJQqlrPiF4xxsScYpnIlfWEuP6Vpp6Z/u5x+1MNyZb oxNWWaevMVeo3tdRV9F6/YFqucw4JQ9HqlCKQ62sW9+e5SSlxGNlV4j9cchG6a4fAZqxL+pS ks+KitK3ap/R4RUG+nbjLlhCwGJIti8lxvdYAoPqjtwEUmMJv4dIl0/2h1495cwBIi7XeRKZ Rx38TV3G3LCx0J8dFhkyTG5TxUZQFgHjznkIX7bzeSQX72MxT0b/tc38yM71WpAgAY+MlHCT FQRKqIQsH/4MFir+g/oV2uPNGwmg0QEOnv9zZ79JJ/nBmuXC2RwUVTtZgtiZXhaP0afvR0eg WPEzptIZZCSmtBOOYkfsAw==
Message-ID: <17f6e4fd-e545-267f-f29e-01d5fb57d017@innovationslab.net>
Date: Sat, 08 Aug 2020 14:57:00 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="e4BJBohINyNWFQxeEjLN3mJlXD2GFW1Qm"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zxfaz4DxJrrDtPoY68E8g9K4ofc>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 18:57:07 -0000
Does anyone have numbers on how many authoritative servers use anycast for load balancing? Brian On 8/6/20 10:59 AM, Paul Hoffman wrote: > Greetings again. The following is a short text-based version of my slides from last week's WG meeting. I'd like to find out if this is one of the use cases that the WG would be interested in dealing with. > > Use case: Opportunistic encryption for recursive to authoritative > > In this use case, a resolver operator says “I’m happy to use encryption with the authoritative servers if it doesn’t slow down getting answers by much”, and an authoritative server says “I’m happy to use encryption with the recursive resolvers if it doesn’t cost me much”. > > Opportunistic encryption is defined in RFC 7535. From the abstract: "Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet." > > The assumptions behind the use case are: > • More encryption is good for the Internet > • Resolver vendors are smart and motivated > • Most resolvers don’t validate with DNSSEC and may never want to > • Authoritative operators don’t care much about encryption, but some would turn it on because more encryption is good for the Internet > • Other use cases for authentication stronger than opportunistic may appear and would co-exist with this one > > The other slides had thoughts about possible solutions that implement this use case, but before we go there, I wanted to find out if more than a handful of people here are interested in this use case. If so, I could turn the above into a draft with some possible solutions for us to bang on. > > --Paul Hoffman > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Possible use case: Opportunistic en… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Ben Schwartz
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… John R. Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Tim Wicinski
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Manu Bretelle
- Re: [dns-privacy] Possible use case: Opportunisti… John Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Ask Bjørn Hansen
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Ebersman
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] [Ext] Possible use case: Opport… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Tony Finch
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- [dns-privacy] TLSA for secure resolver-auth trans… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Vladimír Čunát
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Ilari Liusvaara
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] [Ext] TLSA for secure resolver-… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Vladimír Čunát
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Viktor Dukhovni
- Re: [dns-privacy] TLSA for secure resolver-auth t… Peter van Dijk