Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))

Paul Hoffman <paul.hoffman@icann.org> Fri, 11 December 2020 00:25 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69DEB3A1375 for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 16:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmWnHPwUJW7v for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 16:25:08 -0800 (PST)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1563A1374 for <dnsop@ietf.org>; Thu, 10 Dec 2020 16:25:08 -0800 (PST)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa5.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 0BB0P4iw013648 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Dec 2020 00:25:04 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Thu, 10 Dec 2020 16:25:03 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.006; Thu, 10 Dec 2020 16:25:03 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Mark Andrews <marka@isc.org>, Joe Abley <jabley@hopcount.ca>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))
Thread-Index: AQHWzzofPhRvn9p1EEWsetz0r1t/E6nxhXmAgAAHSoCAAAMGAA==
Date: Fri, 11 Dec 2020 00:25:03 +0000
Message-ID: <F3CB048D-F6DB-46D7-A151-E9526FA51F47@icann.org>
References: <20201105.172635.572683028769863094.fujiwara@jprs.co.jp> <CE990E49-38B7-4EFD-AB7E-DFA58C96D5D9@isc.org> <20201112.183133.1534594902398859181.fujiwara@jprs.co.jp> <C5C4E8F7-C202-4453-AEA3-FBF9A66969FA@icann.org> <f99456c8064e2c52ca5d7c47420338098a34da78.camel@powerdns.com> <CAH1iCipsRhE_Jx5ohBVCxM1djvL5V4PgDnVgyxVk11mS=NbVVw@mail.gmail.com> <562CA1C5-A86A-43D6-84A5-B86F3469D005@isc.org>
In-Reply-To: <562CA1C5-A86A-43D6-84A5-B86F3469D005@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_8320F28F-0CC7-4E0A-8172-328BF04CC4C3"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-10_11:2020-12-09, 2020-12-10 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OV2TsOMiahnm1wlxdI3xDqdPSL0>
Subject: Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 00:25:10 -0000

On Dec 10, 2020, at 4:14 PM, Mark Andrews <marka@isc.org> wrote:
> 
> Before going on I would really like to know what operational problem is being
> attempted to be solved by signing delegating information?
> 
> Fujiwara-san has presented the draft without specifying what problem it is
> attempting to solve.  The fact the records are not signed is a observation
> not a problem per say.

Asking for stated use cases! Yay!

In DPRIVE, there is a desire to TLSA records to authenticate authoritative servers. In order to do that without getting into a chicken-and-egg loop, the parent needs to authenticate the NS records of the child authoritative server.

If child NS records were already signed in the parent, that solves this use case. They aren't, so we're thinking of ways to authenticate child NS records from the parent.

--Paul Hoffman