IETF Logo Mail Archive

[DNSOP] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

John R Levine <johnl@taugh.com> Tue, 06 May 2025 16:46 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B493C2583E30 for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 09:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="Et5WXQ6c"; dkim=pass (2048-bit key) header.d=taugh.com header.b="NsowHOKQ"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnGi8brmkGJQ for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 09:46:53 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 894672583E00 for <dnsop@ietf.org>; Tue, 6 May 2025 09:46:44 -0700 (PDT)
Received: (qmail 12696 invoked from network); 6 May 2025 16:46:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=3196681a3cf4.k2505; t=1746549994; x=1746895594; bh=Dc9yEKvHg8o7AwrlcD7ZyAiNnyEFLFAVv0PfAT0wmUw=; b=Et5WXQ6cbKwvfJ1l95V/v5rQQoohDj3IJHeAmgvA7BTyVOWzoMcTH9znWMrjT+bJ08g3o9oHl+nSkt0yz6o8TZ8Cap+dPemGItdVBYyPg6rxirHX8R8UJ4H/+um5Bx6tTWDypoJBNbUMN4cTTd8arh3XN8Bhi5IJ9FrffVQ9nnSMiJJcEtYgxirvi/1v/T01o6Yk0L1xzePlhqfdJtavboHeOQCp7ExhAKFEmoHBeNBgts4EAGHDf4MpUNaAv0dLJ4Xt8mZdNlGJH/jbnP9wVPubtuenSuUiJ3PqoFUNWntZCj+orS8HHCnJLdQ2cCCw4amVa5jvoHQeWuwf5WJddw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=3196681a3cf4.k2505; bh=Dc9yEKvHg8o7AwrlcD7ZyAiNnyEFLFAVv0PfAT0wmUw=; b=NsowHOKQjFObWMChzIswT7JEA3XliD4KxpHxNg8weo4j0PqSCjKZPsF+s/3fYpVyvpeMpDDUlUsubialTTbrTqWwiE4yMKSxA0au8zhcFQFCE52JJ+Pg58MaJp1wIxtncw8le7Q99kOSD/d0hXAvxlDbKdIDq9+MHVuZNGB7HrHEZup5LgIUrVTZqY+nLilEq6Kf4P6J21bSp2vjWs9rJW/4YsMoIDJ9D3DV1eaqjXbSdbHg+NjXd+BvyQx8u0NXYVBz/bL1PnSG+je+BudeNgWpvDXqk69tlbMr+/4NsVEayzSB5YzGj8+6C7SAL1lpN+YTZYLVOP7wtxoKwWs+2w==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 06 May 2025 16:46:43 -0000
Received: by ary.qy (Postfix, from userid 501) id 3C3EAC808972; Tue, 6 May 2025 12:46:42 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 994D3C808954; Tue, 6 May 2025 12:46:42 -0400 (EDT)
Date: Tue, 06 May 2025 12:46:42 -0400
Message-ID: <6d8bc9b1-8729-08b7-bd0c-564ae0dd3a59@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <m1uCItL-0000LTC@stereo.hq.phicoh.net>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec> <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <20250502171756.5AC67C762C3C@ary.qy> <SA1PR15MB43704113DF8B19A8A5A66AD6B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <4B83E121-9562-449C-A00E-2A31894ADED0@icann.org> <m1uBDWf-0000MlC@stereo.hq.phicoh.net> <9EE8E4CC-04A3-46C7-BDDF-EF538A822AA8@virtualized.org> <m1uBHRs-0000LsC@stereo.hq.phicoh.net> <BE3A5560-740A-47A9-835B-8C8EEF2B50B9@virtualized.org> <m1uCDdk-0000LlC@stereo.hq.phicoh.net> <20250506133721.199BCC803209@ary.qy> <m1uCItL-0000LTC@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: KY3F5ZNSC4MCPX2EDLYXYM5WUCA2RMLE
X-Message-ID-Hash: KY3F5ZNSC4MCPX2EDLYXYM5WUCA2RMLE
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/11V1RowE7aiK72mVuGLjzvo0RH4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, 6 May 2025, Philip Homburg wrote:
> Adding an insecure delegation is a good way to tell validators that there is
> going to be an insecure zone. It is a practical mechanism that is proven to
> work.
>
> I have no clue how to design a protocol where a mobile device can attach
> to an unknown network and get (negative) trust anchors without potentially
> compromising the entire security of DNSSEC.
>
> If you have an idea what such a protocol could look like, maybe you can share
> it.

For devices that move from one network to another, probably some variety 
of TOFU, the first time you start up a device you do it on your home 
network and it fetches the anchors.  After that they don't change, or 
maybe the old key signs the new one like for root key rolls.

For devices that stay put, the same thing could work, or they could just 
believe their local cache.

I realize this is not bulletproof, but it seems less bad than, well,
there's a negative anchor at the root so anything goes.

R's,
John

v2.31.3 | Report a Bug | By Email | System Status