Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
"Wessels, Duane" <dwessels@verisign.com> Tue, 30 August 2016 14:34 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CF5212D6AB for <dnsop@ietfa.amsl.com>; Tue, 30 Aug 2016 07:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcoeA5K0-L2Q for <dnsop@ietfa.amsl.com>; Tue, 30 Aug 2016 07:34:06 -0700 (PDT)
Received: from mail-oi0-x261.google.com (mail-oi0-x261.google.com [IPv6:2607:f8b0:4003:c06::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A9612D555 for <dnsop@ietf.org>; Tue, 30 Aug 2016 07:31:40 -0700 (PDT)
Received: by mail-oi0-x261.google.com with SMTP id 124so1298845oie.1 for <dnsop@ietf.org>; Tue, 30 Aug 2016 07:31:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=9QminsTfNNCGVNhtt2MistlVYzdPuL8NoOYsGaEpVeQ=; b=RhWqNZfXc/fbNBrVg0o1YqvjrmThY35+cFYUATe6YofUgmXFSQOikF7ID4UU//teWb PIgpnVgJ5SU+RXyFcp07/YYyY6Kp3s+hyc8Zj8VPGIvZJ2Tn0talkjujeyIsCF3UR0nZ fiWAC35DMPFAHQjHZcpTTot3fR8A/No1JY60/QUx7mbQv46zF8CkTcDgZBMRILmstxvM rXZmLhH2Fd+lPYZPlw9TNGp9gvHIXie1KgjnGKJqPzXFmw2YCV8tJRUqv+AP3tq1QB5y xpd6Wy/EEzetp8+h9cnKpzSyp2dyKOj2iXQ7swH2pnFEc8toMYZUcL0F3xGUN3M4hMvJ t82Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=9QminsTfNNCGVNhtt2MistlVYzdPuL8NoOYsGaEpVeQ=; b=jOeRrWt12//lAXPlpRxQHMGrr0o2ccjXXA/nAhpqCp8cxF5bA5HbKfw2jUZJNg4UJ2 o2SaFTzTdbgW/ouh4gEbBjzSFclbrj6g2k4s4lCARQamITdi3PEQ7FQmMAHAVmd4ubXr BlCfupA/3JW9lUFkGmcPnLBpA+nl8L69Zw0jf4cV4JKDP+6vtEFicsbwmgJL+5lcoYP+ FJOiFtmNtU85aB6NxJAqyDWgtOudWhUfvip0zHCHbJab/F8PKDQWTOeFTU1lxFS2yF+w dGEb9bqFmtWO1Dij8HOoBqGa8Hkk7avapOaQQy3oEGLcG9uZVDJ8BMJHPTqjGK6bQtpk t2+Q==
X-Gm-Message-State: AE9vXwNMpOlPYAnautFq8O7woP5O39hAk8MRdoNM0+6jIpxoO7dOLPcSDmpuZVTvbuLn7Zl160Kv9N0PIWHQgcsh7J36Y0Pp
X-Received: by 10.55.104.150 with SMTP id d144mr4491321qkc.163.1472567498582; Tue, 30 Aug 2016 07:31:38 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id o186sm4125604qkf.3.2016.08.30.07.31.38 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 30 Aug 2016 07:31:38 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u7UEVb99015359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Aug 2016 10:31:37 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 30 Aug 2016 10:31:36 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shane Kerr <shane@time-travellers.org>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
Thread-Index: AQHSAoxOf3wp2taooUiC3EzJKwzotqBh1FmA
Date: Tue, 30 Aug 2016 14:31:35 +0000
Message-ID: <3D28EE82-50F5-4320-B3FB-EB889BCFE6F7@verisign.com>
References: <20160708223044.32131.72663.idtracker@ietfa.amsl.com> <8FD4B2FF-9E51-4FF3-829A-1D4D7CFAB19E@vpnc.org> <9E342C42-7649-4776-BA22-DF9F5A84654A@vpnc.org> <20160830150029.512e1ce5@pallas.home.time-travellers.org>
In-Reply-To: <20160830150029.512e1ce5@pallas.home.time-travellers.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail
x-originating-ip: [10.173.152.4]
Content-Type: multipart/signed; boundary="Apple-Mail=_F7EF8588-4D80-4638-98FE-1B973681EF58"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GIhHTOHsLloceBN7QLwWyYs6wD4>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2016 14:34:16 -0000
> On Aug 30, 2016, at 12:00 AM, Shane Kerr <shane@time-travellers.org> wrote: > > Paul, > > At 2016-08-10 16:54:39 -0700 > "Paul Hoffman" <paul.hoffman@vpnc.org> wrote: > >> [[ A month later, we're still eager to hear responses to the draft. We >> got a few that we have incorporated for a new version, but want to be >> sure we're on the right track before we move ahead. ]] > > I'm back from vacation and catching up on old mail. I decided to go > through this draft instead of finishing that. ;) > > > I have a couple questions about the Key Tag Query. (Apologies if these > have been discussed already - I do remember some mention of the first > question in a meeting so maybe it has been discussed and discarded.) > > First, can we please just use the decimal version of the Key Tag > values? As an operator it sure is easier to be able to cut & paste from > a log instead of having to use "bc" or Python to convert from the hex > to the value that is actually in all of my configuration files > everywhere. I have a weak preference for the hex format because IMO it adds some structure to the message that helps differentiate real signal from noise. For example I think it is useful to know that "_ta-0033" is a well-formatted key tag query, but "_ta-33" is not. I'm not sure about the bc/python argument because I would expect this to be generally built in to the name server software, and I don't feel that adding an awk/bc/python one-liner to a shell script to be all the burdensome. > > Second, the easiest way for a querier to use this might be to set up a > cron job that grabs the anchor information out of a configuration file > and sends it via "dig". That doesn't require any support from any > software beyond what I have today, but it doesn't match the idea of > sending it at the same time as a DNSKEY query. I suggested tying it to the DNSKEY query for a couple of reasons: (1) thats how it works when conveyed by EDNS; (2) it provides a consistent interval across all implementations and gives the zone operator some control over how often to receive key tag data. > > Finally, the security concerns section got me to thinking about ways to > send the trust anchor information in an encrypted way. I don't see an > easy way to do this in the DNS itself, but we could use HTTPS for this. > A zone could add a RR something like: > > _dns-trust-anchor-reporting._tcp.$ZONE. $TTL IN SRV 0 1 443 an.example > > Then a resolver could use a RESTful query like: > > https://an.example/$ZONE/$SRVID/keytag1,keytag2,keytag3 > > If we really wanted to keep it in DNS do something similar but submit a > DNS over TLS query instead. Maybe: > > _dns_trust_anchor_reporting._tcp.$ZONE. $TTL IN SRV 0 1 853 an.example > > Then the resolver could use the Key Tag query. This also has a slight > advantage of only reporting information to trust anchor operators who > plan on doing something with the data. It does require DNS over TLS > support though.... This seems like too much complexity to me. DW
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… tjw ietf
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Shane Kerr
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Wessels, Duane