Re: [dns-privacy] Alternative signalling propsals
Tony Finch <dot@dotat.at> Tue, 18 December 2018 12:36 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409D9131148 for <dns-privacy@ietfa.amsl.com>; Tue, 18 Dec 2018 04:36:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jn7XmT4ngW1t for <dns-privacy@ietfa.amsl.com>; Tue, 18 Dec 2018 04:36:42 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2D10131125 for <dns-privacy@ietf.org>; Tue, 18 Dec 2018 04:36:41 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:56400) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gZEbx-000xW3-LH (Exim 4.91) (return-path <dot@dotat.at>); Tue, 18 Dec 2018 12:36:33 +0000
Date: Tue, 18 Dec 2018 12:36:32 +0000
From: Tony Finch <dot@dotat.at>
To: Wes Hardaker <wes@hardakers.net>
cc: "Reed, Jon" <jreed@akamai.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <yblwoo8vxlk.fsf@w7.hardakers.net>
Message-ID: <alpine.DEB.2.20.1812181215390.29254@grey.csi.cam.ac.uk>
References: <74C380A3-C69F-4340-A723-B134F052953E@akamai.com> <yblwoo8vxlk.fsf@w7.hardakers.net>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zy8D_kvYYYCcf9WDPGZYotZ1PHY>
Subject: Re: [dns-privacy] Alternative signalling propsals
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 12:36:50 -0000
Wes Hardaker <wes@hardakers.net> wrote: > > My list for putting a TLSA or similar record at the reverse zone > include: > > pros: > - the authoritative server more likely in control of its reverse zone than all > the forward zones its serving Reverse zones plural (v4 + v6) :-) > - the number of reverse zone records to update on a key change is 1 per ip > address. The number of name server NS records to update per key > change is 1 per zone supported, which is very very large for some > servers. For forward DNS it is 1 per name server name (i.e. per alias), which might be 1 per zone for places that provision zones with in in-bailiwick name server names, or might be 1 per server if they prefer to provision zones with canonical name server names. > - it feels cleaner > cons: > - not everyone controls their reverse zone easily, especially for those > that don't hold at least a /24 allocation. Ironically, I fall into > this camp but still think this is a better solution than a name-based one. > - requires more lookups > - requires the reverse tree for that address be fully signed The "more lookups" thing is interesting. If the TLSA-like record is in the forward DNS, then you get into a bootstrapping problem. Assuming we can't add these new records as glue, a resolver ends up having to: * query a parent server for delegation; receive NS records and glue * query a child server publicly for TLSA-like record(s) * query child server privately for actual question i.e. in the DNS case we lose the opportunity for concurrent address + TLSA queries that DANE normally offers. If the TLSA-like record is in the reverse DNS, and the reverse DNS nameservers are cached, then the sequence of lookups is the same. The "more lookups" case happens when there's a cold reverse DNS cache as well as a cold forward cache. Putting TLSA-like records in the reverse DNS doesn't solve the bootstrap problem, in cases where the server you want the TLSA-like record for is authoritative for its own reverse zones. I started a thread discussing related things back in September... https://www.ietf.org/mail-archive/web/dns-privacy/current/msg02124.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ public services available on equal terms to all
- [dns-privacy] Alternative signalling propsals Reed, Jon
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Jon Reed
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Mark Andrews
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Tony Finch
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Petr Špaček