Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]

Peter van Dijk <> Fri, 25 September 2020 21:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 669FA3A09DF for <>; Fri, 25 Sep 2020 14:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aaLmyeJbMiG3 for <>; Fri, 25 Sep 2020 14:28:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1C0C63A09D5 for <>; Fri, 25 Sep 2020 14:28:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 8A9576A241; Fri, 25 Sep 2020 23:28:03 +0200 (CEST)
Received: from plato ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 6DBED3C039B; Fri, 25 Sep 2020 23:28:03 +0200 (CEST)
Message-ID: <>
From: Peter van Dijk <>
Date: Fri, 25 Sep 2020 23:27:59 +0200
In-Reply-To: <>
References: <> <> <>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] [Fwd: New Version Notification for draft-vandijk-dnsop-ds-digest-verbatim-00.txt]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Sep 2020 21:28:06 -0000

Hello Paul,

On Fri, 2020-09-25 at 17:13 -0400, Paul Wouters wrote:
> I could see a use of publishing a DNSKEY at the parent in a DS record
> that could be used for encrypted connections towards child nameservers.

Me too! :-)

> But we talked about this within the context of your other proposals,
> and the view of a number of people and some large operators was that
> this encryption is a per-nameserver thing, and not a per-zone thing.

Lacking defined use cases and alternative proposals, I'm still
considering the possible future where we have one method for each of
those focuses, with different tradeoffs.

> Another item not covered here we talked about before, is that child
> data published in the parent MUST have cryptographic confirmation at
> the child. Or else parents can coerce child data.

Yes, I'm aware! I wanted to keep the -00 simple to first test for
appetite in the WG.

One of the DOTPIN co-authors brought up your 'child confirmation' idea
for both drafts I posted this week, and in both cases, that seems to be
an addition that could easily work. For this draft, in CDS or CDNSKEY;
for the other draft, either by mandating 'some form of it' for anything
that allocates out of the reserved range, or even by specifying right
now 'odd numbers go in the parent, even numbers go in the child, and
content needs to match'.

However, so far it does not look like any of my drafts have gotten
stuck because of -this- so I'm not inclined to put those words in yet.
After adoption seems like plenty of time to discuss this.

> It seems the setup of this record is geared towards a generic mechanism
> of "child publishes stuff at the parent" which muddles the clear child
> vs parent zone divider we have now. It would need a very strong use
> case, but the other use case offered is "might be handy in the future".

Yes - both drafts are 'this may prevent pain later'. I only have
halfbaked ideas for what you could do with 'non-hashed parent-side
publication of child data' (which both drafts provide): DoH URLs,
signed delegation NS sets (which I consider a prime candidate for
'enabling TLSA in child', but that could be done DOTPIN style instead
of either of these drafts), etc.

> While I agree that DNS infrastructure updates have been extremely slow,
> I do think in recent years it has been much better and is still
> improving. So I am less concerned about anything taking 5 years again.

Now if only we could apply that optimism to operator-registry communications :)

Kind regards,
Peter van Dijk