Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS

Tony Finch <dot@dotat.at> Sat, 15 February 2014 17:24 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8959B1A01C8; Sat, 15 Feb 2014 09:24:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h57VQJrmZWeD; Sat, 15 Feb 2014 09:24:00 -0800 (PST)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f42]) by ietfa.amsl.com (Postfix) with ESMTP id 655901A00EF; Sat, 15 Feb 2014 09:24:00 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:49691) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1WEiy5-0000G7-7B (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 15 Feb 2014 17:23:57 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WEiy5-0006Xt-5Z (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 15 Feb 2014 17:23:57 +0000
Date: Sat, 15 Feb 2014 17:23:57 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20140215165256.GA21498@sources.org>
Message-ID: <alpine.LSU.2.00.1402151714050.15381@hermes-1.csi.cam.ac.uk>
References: <CAESS1RPh+UK+r=JzZ9nE_DUqcvNtZiS6TNt1CDN-C0uiU7HP=A@mail.gmail.com> <alpine.LSU.2.00.1402151448290.15381@hermes-1.csi.cam.ac.uk> <20140215165256.GA21498@sources.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/4ZjvQRAZi8wpEliyYh2UtGdlJV4
Cc: dnsop@ietf.org, perpass@ietf.org, Zi Hu <zihu@usc.edu>
Subject: Re: [DNSOP] draft-hzhwm-start-tls-for-dns-00: Starting TLS over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 17:24:02 -0000

Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> On Sat, Feb 15, 2014 at 03:40:48PM +0000,
>  Tony Finch <dot@dotat.at> wrote
>  a message of 84 lines which said:
>
> > A DANE-like approach might work for authoritative servers.
>
> It is mentioned in the draft but it raises an interesting
> chicken-and-egg problem when you want to secure DNS with info found in
> the DNS.

Very interesting :-)

The resolver needs to find out that an auth server supports TLS before it
sends a query. This implies that the information needs to be part of the
referral. It would be wrong to shoe-horn it into the DS RRset (e.g. by
adding semantics to one of the algorithm fields) since DS records relate
to the zone not to the name servers. So it should go into the NS RRset -
but referral NS records aren't signed!

Maybe the resolver could go and ask elsewhere. This could be quite
plausible for out-of-zone name servers, but it does not help for in-zone
server names. Or use the reverse DNS?

No palatable options that I can see :-/

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Malin, Hebrides, Bailey: Northwest 7 to severe gale 9 decreasing 4 or 5,
occasionally variable 3 later. Very rough or high, becoming rough later.
Showers, squally at first. Moderate or poor becoming good.