[DNSOP] Fwd: New Version Notification for draft-dickson-dnsop-glueless-01.txt

Brian Dickson <brian.peter.dickson@gmail.com> Sat, 18 September 2021 03:36 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567BA3A24E8 for <dnsop@ietfa.amsl.com>; Fri, 17 Sep 2021 20:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrWTAuFumXP7 for <dnsop@ietfa.amsl.com>; Fri, 17 Sep 2021 20:36:13 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C15323A24E7 for <dnsop@ietf.org>; Fri, 17 Sep 2021 20:36:12 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id b15so22588941lfe.7 for <dnsop@ietf.org>; Fri, 17 Sep 2021 20:36:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=56WO1gmMMvaIMfX6umDe1G5xwkeTOVpemEUkuf3TTDY=; b=GpLIVmt6euQ8wkaTDahx+G/A2Hb75G7NpRD/MinHK3gLADG/xdSZ05IC4g4p6HW4YS Z3pXOgQdHUP/KXkGlLjAxuk+EX5YI78Zpt2xwP4hSBTgUB+upeBKRzUMuVgq1F5AtD+o QqiqUL/0GusQRO55evApsyb/8lR+XDRV3AzL4jxmpr8USUpl/JN+c0ES1PKJXbdiCB/X qxRkcLJ+ILSD9NgN6jIvCmZ+34KIsYODCUNbRtbpy9mnrtBxFq+mShG0KFTYUGaJTe4b 2nLVDSNSHgKcYKSrwPn6Z1tMuHWPuTazXX8ZNb8M35YDW9t7sDy/Taof9CGIX0Gk04Pq ZHRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=56WO1gmMMvaIMfX6umDe1G5xwkeTOVpemEUkuf3TTDY=; b=Z/RcxNcm2mX0EC80B+JbxrPdaVbcHexdKua+13hwFYgk+NWYnbDIcttBLQ/GlY4tS9 dcPTFbU+P+rxmTVuN3DygYf5Gp5KRFt8CODAvRjFG43VhUvzu2AkUDNjzP6xKa5o+g2Q ywVDVKOi4KpOBHPy70ZwJWHzyRhPYst+4akTg1bJRwFmvjPqtB3IfqCirMiiaeaU97K9 lP9kePaOKZ/52vGnRMLRPCQioLAsIO8oTeP9sRlig6mvup+ieZcX5Rls7wLcoDxdlDwm ebZztg7kB/GXGI0JSs/DFPaDtdLowaeLEyfIWQrNr1S+hLUK1ysPZNWJh1kEDBjxsV3S gl/Q==
X-Gm-Message-State: AOAM531wvJNjkJ+jmLgBzOyx8bi0JC0hgQ+YfjNiKwTCqARjKX/cPY8w qVfwBdQN53vhAEXhMJ2adRLrII5gXAQ7+wyXXp/5X7eigGg=
X-Google-Smtp-Source: ABdhPJwtWDfQQAKzpWJ0A0kO6eGP6HAubweXPqDeqtFnzDg5MzSy136zSAsNlLiHK0n8FSW4DmLoDo2Tu5DuaZJP2NQ=
X-Received: by 2002:a2e:a7cf:: with SMTP id x15mr12026648ljp.100.1631936170134; Fri, 17 Sep 2021 20:36:10 -0700 (PDT)
MIME-Version: 1.0
References: <163191001230.11500.9444507737132893884@ietfa.amsl.com>
In-Reply-To: <163191001230.11500.9444507737132893884@ietfa.amsl.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 17 Sep 2021 20:35:59 -0700
Message-ID: <CAH1iCiq-x1RirV_78AjBh565p6=HdxmkAjfXP6F4dRh_oQ3mwQ@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7924f05cc3cbfe7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/14Sgt8FXKewLJGgIKKaM8Osthv8>
Subject: [DNSOP] Fwd: New Version Notification for draft-dickson-dnsop-glueless-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Sep 2021 03:36:18 -0000

Hi, DNSOP folks,
I have been working on the "unsigned glue record"  problem (and related
"unsigned NS record" problem).

This draft is mostly informational, and does not actually require any
protocol changes.
It might even be worth making a BCP, but I'll leave that up to the WG to
decide.

I think this is relatively widely applicable, even though it was originally
motivated by a problem that needed to be solved within DPRIVE.
(That problem is the subject of a draft I will be posting in DPRIVE, for
those interested.)

I think it's fairly straightforward, but it is difficult to tell without
getting feedback, so please let me know what you think.

Brian Dickson

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Fri, Sep 17, 2021 at 1:20 PM
Subject: New Version Notification for draft-dickson-dnsop-glueless-01.txt
To: Brian Dickson <brian.peter.dickson@gmail.com>



A new version of I-D, draft-dickson-dnsop-glueless-01.txt
has been successfully submitted by Brian Dickson and posted to the
IETF repository.

Name:           draft-dickson-dnsop-glueless
Revision:       01
Title:          Operating a Glueless DNS Authority Server
Document date:  2021-09-17
Group:          Individual Submission
Pages:          7
URL:
https://www.ietf.org/archive/id/draft-dickson-dnsop-glueless-01.txt
Status:
https://datatracker.ietf.org/doc/draft-dickson-dnsop-glueless/
Html:
https://www.ietf.org/archive/id/draft-dickson-dnsop-glueless-01.html
Htmlized:
https://datatracker.ietf.org/doc/html/draft-dickson-dnsop-glueless
Diff:
https://www.ietf.org/rfcdiff?url2=draft-dickson-dnsop-glueless-01

Abstract:
   This Internet Draft proposes a method for protecting authority
   servers against MITM and poisoning attacks, using a domain naming
   strategy to not require glue A/AAAA records and use of DNSSEC.

   This technique assumes the use of validating resolvers.

   MITM and poisoning attacks should only be effective/possible against
   unsigned domains.

   However, until all domains are signed, this guidance is relevant, in
   that it can limit the attack surface of unsigned domains.

   This guidance should be combined with [I-D.dickson-dnsop-ds-hack]




The IETF Secretariat