[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

Paul Vixie <paul@redbarn.org> Tue, 23 July 2024 19:08 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AAEC1D5302 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 12:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo_Ugey32HOo for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 12:08:28 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 586D9C1D52FA for <dnsop@ietf.org>; Tue, 23 Jul 2024 12:08:28 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id B89C6160E14; Tue, 23 Jul 2024 19:08:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1721761707; bh=X0Ys8xjEF87sIYZEAKw8OOZM86OPrqJcZAwlx8Zfw5w=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=QkNcA4+/wfa/dWaMpZ2JKV/B8vHFsBxbAPWmhJCskancYmShfDtWPEb8fQqisE0Zk JBtMromRuvTaoI38UtgW4Xk4CO1pd6UVMFM+f264u6pwtyqzfa19zda9e6L9yyLFeJ 4+9Mclxmd5laCdJpJwRRHfCH49r4S6/RNhd+Ol/U=
Received: from heater.srcl.tisf.net (heater.srcl.tisf.net [IPv6:2001:559:8000:cc::111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPS id 8C7EDC3F2E; Tue, 23 Jul 2024 19:08:27 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Tommy Jensen <Jensen.Thomas@microsoft.com>, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Date: Tue, 23 Jul 2024 12:08:27 -0700
Message-ID: <3321551.kGzlxMrEDr@heater.srcl.tisf.net>
In-Reply-To: <DM8PR00MB1405EAB87992BDAF8F0B640F92A92@DM8PR00MB1405.namprd00.prod.outlook.com>
References: <171951314842.227.16506719010762251285@dt-datatracker-ff7f57fbb-ch6dm> <LV8PR00MB1957314D5A12E038C55B1363FAA82@LV8PR00MB1957.namprd00.prod.outlook.com> <DM8PR00MB1405EAB87992BDAF8F0B640F92A92@DM8PR00MB1405.namprd00.prod.outlook.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Message-ID-Hash: BGCPUHESDPCTD7ZJ54DDBMWUFXPSUD6O
X-Message-ID-Hash: BGCPUHESDPCTD7ZJ54DDBMWUFXPSUD6O
X-MailFrom: paul@redbarn.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky=40microsoft.com@dmarc.ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1O8c_4xoNOfHe5wvBzJBEAdEk1Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Monday, July 22, 2024 5:11:23 PM PDT Jessica Krynitsky wrote:
> Thanks Ben and Erik for the comments!
> 
> Erik, yes I agree, I think we had TLS 1.3 in mind when writing the draft and
> when evaluating alternatives for this encrypted DNS scenario. I think we
> can make an edit to specify TLS 1.3 or at least post-handshake client
> authentication with TLS 1.2. It sounds like from both of these comments we
> need to spell out privacy considerations in more detail.
> 
> ...

Making TLS 1.2 available as a fallback is vital. Many secure private edge 
networks will never allow TLS 1.3 because of ECH. Think government, military, 
corporate. The moment we explicitly disallowed fallback, these networks would 
be forced into explicit edge proxies with private keys. I think that's an 
outcome worth avoiding.

So, +1 to the above.

-- 
P Vixie