Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt
Paul Wouters <paul@nohats.ca> Fri, 12 February 2021 20:37 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 761623A0E18 for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 12:37:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwehg554vbZO for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 12:37:15 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81A4F3A0E15 for <dnsop@ietf.org>; Fri, 12 Feb 2021 12:37:14 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4DclfZ2svVz3dN; Fri, 12 Feb 2021 21:37:10 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1613162230; bh=7xwa8gM7QD0FxQe/XMFqYeYWrLqhrgNANeNN0YfIYOc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=iuwa/eq42P8G0Z9cBZie89PhQwpxXnUCcNFmwGZ4121NEIxTGqFn1YaHtztizGKrE n/U5TYvpRMOJRnFd58MfXWk5iMB95Gp1akP+2LaMBlXcYUrguD+GoC21IoLe6hhe3N 3zMRRghRXosCvonLGB0U6UZaFlt17OIQI1kKzTIo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id qjHqUsEf92XY; Fri, 12 Feb 2021 21:37:09 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 12 Feb 2021 21:37:08 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AB40F6029B62; Fri, 12 Feb 2021 15:37:07 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A2C8166B1E; Fri, 12 Feb 2021 15:37:07 -0500 (EST)
Date: Fri, 12 Feb 2021 15:37:07 -0500
From: Paul Wouters <paul@nohats.ca>
To: Joe Abley <jabley@hopcount.ca>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <A4EE4B99-A7F7-452E-9E3E-10277D15837A@hopcount.ca>
Message-ID: <af970f4-1b14-d2b2-8e45-ecb25d9e635f@nohats.ca>
References: <161314515808.27869.12735398190429691375@ietfa.amsl.com> <A4EE4B99-A7F7-452E-9E3E-10277D15837A@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JNQgp2IBzSXSEVRI5rh5TZ-ECrw>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 20:37:17 -0000
On Fri, 12 Feb 2021, Joe Abley wrote: > I have discovered that without liberal access to bars and hallways at in-person IETF meetings, I no longer know how to tell the difference > between ambition and insanity when it comes to technical proposals. I am quite prepared to find out that in this case the needle is at the crazy > end of the scale. So I think execsum is, REFER is like NS for client, but signed like DS. What does that buy us. A MITM can't forge the NS to trick a validator to a dead end (presuming a DS protects them from actual bogus data) That is the same gain from getting TLS to AUTH servers. But REFER works without needing transport security. For everyone else downstream of the validating resolver, they ofcourse can already be given DS plus child-side (signed) NS records. And this solution would still be missing a pubkey that can be used to encrypt the connection to the delegated child zone nameservers. Seeing how things would likely misimplement REFER, or run into issues because it gets semi supported through generic records and just flies along the wrong side of the zone cut, I'd say the dangers of this do not outweigh the gains. If we do something drastic like this, at least provide not only the validatable child NS records, also provide whatever is needed to setup a fully encrypted connetion to the child's nameserver's so we can get a fully private query chain with no leaks. Paul
- [DNSOP] Fwd: New Version Notification for draft-j… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [DNSOP] Fwd: New Version Notification for dra… Brian Dickson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley
- Re: [DNSOP] New Version Notification for draft-ja… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley