[DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]
Peter van Dijk <peter.van.dijk@powerdns.com> Thu, 24 September 2020 17:58 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DEC3A11D9 for <dnsop@ietfa.amsl.com>; Thu, 24 Sep 2020 10:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.244
X-Spam-Level:
X-Spam-Status: No, score=0.244 tagged_above=-999 required=5 tests=[AC_FROM_MANY_DOTS=2.141, BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmMJgmTK3bRa for <dnsop@ietfa.amsl.com>; Thu, 24 Sep 2020 10:58:19 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39823A11D8 for <dnsop@ietf.org>; Thu, 24 Sep 2020 10:58:19 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 2E6656A23D; Thu, 24 Sep 2020 19:58:17 +0200 (CEST)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 12ED63C020F; Thu, 24 Sep 2020 19:58:17 +0200 (CEST)
Message-ID: <702a5de3ddcef844aeb80b4c071ee9559aaac650.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Thu, 24 Sep 2020 19:58:16 +0200
References: <160096974346.12277.16853345396397035889@ietfa.amsl.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-f8No7tTstaHxjngUr3WPA4ICmI>
Subject: [DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 17:58:21 -0000
Hello dnsop, early 2019, Manu of Facebook proposed the DSPKI record - a parent-side- of-the-delegation record to hold a pin for authenticating child-side DoT servers. This would be undeployable. A few months ago, Tim April proposed NS2/NS2T, which looks like it would clearly benefit from the ability to publish signed data on the parent side of a delegation. This ability seems unlikely today. Also a few months ago, myself and a few others proposed shoehorning certificate hashes into the DS record. The shoehorning (and perhaps some other aspects of that proposal) were not well received by everybody. When talking to Petr Spacek about this, he came up with the following: -if-, long enough ago, besides DS, a range of RRtype numbers would have been reserved with the same processing rules, i.e. these types live in the -parent- and not on the -child-, then both DSPKI and NS2T could become parent side records through the simple act of requesting an IANA allocation from that special range. Sadly, it is not five years ago today. It is today today. So, here is a draft that requests that IANA reserves such a range. Knowledge of that range and its DS-like handling can then end up in implementations over time. When that has happened at some useful scale, we could do a DSPKI experiment. NS2T could explore what benefits come from the ability to publish in the parent. And, nobody will have to shoehorn hashed TLS certificates into DS records. This draft is a bit rough; I trust it, and this email, have brought the idea across. Editorial comments are welcome via GitHub (link is in the draft), or via the WG of course. Looking forward to your thoughts on this. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -------- Forwarded Message -------- From: internet-drafts@ietf.org To: Petr Spacek <petr.spacek@nic.cz>, Peter van Dijk < peter.van.dijk@powerdns.com> Subject: [EXT] New Version Notification for draft-peetterr-dnsop- parent-side-auth-types-00.txt Date: Thu, 24 Sep 2020 10:49:03 -0700 A new version of I-D, draft-peetterr-dnsop-parent-side-auth-types-00.txt has been successfully submitted by Peter van Dijk and posted to the IETF repository. Name: draft-peetterr-dnsop-parent-side-auth-types Revision: 00 Title: Parent-side authoritative DNS records for enhanced delegation Document date: 2020-09-24 Group: Individual Submission Pages: 5 URL: https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt Status: https://datatracker.ietf.org/doc/draft-peetterr-dnsop-parent-side-auth-types/ Html: https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.html Htmlized: https://tools.ietf.org/html/draft-peetterr-dnsop-parent-side-auth-types-00 Abstract: A DNS RRtype numeric range that behaves like DS is reserved. This means: being authoritative on the parent side of a delegation; being signed by the parent; being provided along with delegations by the parent. If this document had become an RFC five years ago, deploying new types (along the lines of NS2/NS2T, DSPKI or various other imagined things like DNS ('signed delegation NS')) would be easier to deploy and experiment with today. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
- [DNSOP] [Fwd: New Version Notification for draft-… Peter van Dijk
- Re: [DNSOP] [Fwd: New Version Notification for dr… Paul Wouters
- Re: [DNSOP] [Fwd: New Version Notification for dr… Ben Schwartz
- Re: [DNSOP] [Fwd: New Version Notification for dr… Brian Dickson
- Re: [DNSOP] [Fwd: New Version Notification for dr… Tony Finch
- Re: [DNSOP] [Fwd: New Version Notification for dr… Paul Wouters