Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]
Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 25 September 2020 21:28 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669FA3A09DF for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aaLmyeJbMiG3 for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:28:05 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C0C63A09D5 for <dnsop@ietf.org>; Fri, 25 Sep 2020 14:28:05 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id 8A9576A241; Fri, 25 Sep 2020 23:28:03 +0200 (CEST)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 6DBED3C039B; Fri, 25 Sep 2020 23:28:03 +0200 (CEST)
Message-ID: <a6089ee12fb4393bbe77c1bac6c1587394c9a468.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Fri, 25 Sep 2020 23:27:59 +0200
In-Reply-To: <alpine.LRH.2.23.451.2009251702570.1634044@bofh.nohats.ca>
References: <160103718726.30054.5094716283741232929@ietfa.amsl.com> <026e8a7b7db7279269a361c0fd526283062df212.camel@powerdns.com> <alpine.LRH.2.23.451.2009251702570.1634044@bofh.nohats.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0tF8uMudzAcz47HRFvfHCJk3E4c>
Subject: Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 21:28:06 -0000
Hello Paul, On Fri, 2020-09-25 at 17:13 -0400, Paul Wouters wrote: > I could see a use of publishing a DNSKEY at the parent in a DS record > that could be used for encrypted connections towards child nameservers. Me too! :-) > But we talked about this within the context of your other proposals, > and the view of a number of people and some large operators was that > this encryption is a per-nameserver thing, and not a per-zone thing. Lacking defined use cases and alternative proposals, I'm still considering the possible future where we have one method for each of those focuses, with different tradeoffs. > Another item not covered here we talked about before, is that child > data published in the parent MUST have cryptographic confirmation at > the child. Or else parents can coerce child data. Yes, I'm aware! I wanted to keep the -00 simple to first test for appetite in the WG. One of the DOTPIN co-authors brought up your 'child confirmation' idea for both drafts I posted this week, and in both cases, that seems to be an addition that could easily work. For this draft, in CDS or CDNSKEY; for the other draft, either by mandating 'some form of it' for anything that allocates out of the reserved range, or even by specifying right now 'odd numbers go in the parent, even numbers go in the child, and content needs to match'. However, so far it does not look like any of my drafts have gotten stuck because of -this- so I'm not inclined to put those words in yet. After adoption seems like plenty of time to discuss this. > It seems the setup of this record is geared towards a generic mechanism > of "child publishes stuff at the parent" which muddles the clear child > vs parent zone divider we have now. It would need a very strong use > case, but the other use case offered is "might be handy in the future". Yes - both drafts are 'this may prevent pain later'. I only have halfbaked ideas for what you could do with 'non-hashed parent-side publication of child data' (which both drafts provide): DoH URLs, signed delegation NS sets (which I consider a prime candidate for 'enabling TLSA in child', but that could be done DOTPIN style instead of either of these drafts), etc. > While I agree that DNS infrastructure updates have been extremely slow, > I do think in recent years it has been much better and is still > improving. So I am less concerned about anything taking 5 years again. Now if only we could apply that optimism to operator-registry communications :) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] [Fwd: New Version Notification for draft-… Peter van Dijk
- Re: [DNSOP] [Fwd: New Version Notification for dr… Brian Dickson
- Re: [DNSOP] [Fwd: New Version Notification for dr… Paul Wouters
- Re: [DNSOP] [Fwd: New Version Notification for dr… Peter van Dijk