[DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]

Peter van Dijk <peter.van.dijk@powerdns.com> Thu, 24 September 2020 17:58 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 66DEC3A11D9 for <dnsop@ietfa.amsl.com>; Thu, 24 Sep 2020 10:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.244
X-Spam-Status: No, score=0.244 tagged_above=-999 required=5 tests=[AC_FROM_MANY_DOTS=2.141, BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gmMJgmTK3bRa for <dnsop@ietfa.amsl.com>; Thu, 24 Sep 2020 10:58:19 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39823A11D8 for <dnsop@ietf.org>; Thu, 24 Sep 2020 10:58:19 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 2E6656A23D; Thu, 24 Sep 2020 19:58:17 +0200 (CEST)
Received: from plato (84-81-54-175.fixed.kpn.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 12ED63C020F; Thu, 24 Sep 2020 19:58:17 +0200 (CEST)
Message-ID: <702a5de3ddcef844aeb80b4c071ee9559aaac650.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Thu, 24 Sep 2020 19:58:16 +0200
References: <160096974346.12277.16853345396397035889@ietfa.amsl.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-f8No7tTstaHxjngUr3WPA4ICmI>
Subject: [DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 17:58:21 -0000

Hello dnsop,

early 2019, Manu of Facebook proposed the DSPKI record - a parent-side-
of-the-delegation record to hold a pin for authenticating child-side
DoT servers. This would be undeployable.

A few months ago, Tim April proposed NS2/NS2T, which looks like it
would clearly benefit from the ability to publish signed data on the
parent side of a delegation. This ability seems unlikely today.

Also a few months ago, myself and a few others proposed shoehorning
certificate hashes into the DS record. The shoehorning (and perhaps
some other aspects of that proposal) were not well received by

When talking to Petr Spacek about this, he came up with the following:
-if-, long enough ago, besides DS, a range of RRtype numbers would have
been reserved with the same processing rules, i.e. these types live in
the -parent- and not on the -child-, then both DSPKI and NS2T could
become parent side records through the simple act of requesting an
IANA allocation from that special range.

Sadly, it is not five years ago today. It is today today. So, here is a
draft that requests that IANA reserves such a range. Knowledge of that
range and its DS-like handling can then end up in implementations over
time. When that has happened at some useful scale, we could do a DSPKI
experiment. NS2T could explore what benefits come from the ability to
publish in the parent. And, nobody will have to shoehorn hashed TLS
certificates into DS records.

This draft is a bit rough; I trust it, and this email, have brought the
idea across. Editorial comments are welcome via GitHub (link is in the
draft), or via the WG of course.

Looking forward to your thoughts on this.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

-------- Forwarded Message --------
From: internet-drafts@ietf.org
To: Petr Spacek <petr.spacek@nic.cz>, Peter van Dijk <
Subject: [EXT] New Version Notification for draft-peetterr-dnsop-
Date: Thu, 24 Sep 2020 10:49:03 -0700

A new version of I-D, draft-peetterr-dnsop-parent-side-auth-types-00.txt
has been successfully submitted by Peter van Dijk and posted to the
IETF repository.

Name:		draft-peetterr-dnsop-parent-side-auth-types
Revision:	00
Title:		Parent-side authoritative DNS records for enhanced delegation
Document date:	2020-09-24
Group:		Individual Submission
Pages:		5
URL:            https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt
Status:         https://datatracker.ietf.org/doc/draft-peetterr-dnsop-parent-side-auth-types/
Html:           https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.html
Htmlized:       https://tools.ietf.org/html/draft-peetterr-dnsop-parent-side-auth-types-00

   A DNS RRtype numeric range that behaves like DS is reserved.  This
   means: being authoritative on the parent side of a delegation; being
   signed by the parent; being provided along with delegations by the
   parent.  If this document had become an RFC five years ago, deploying
   new types (along the lines of NS2/NS2T, DSPKI or various other
   imagined things like DNS ('signed delegation NS')) would be easier to
   deploy and experiment with today.


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat