IETF Logo Mail Archive

Re: [DNSOP] Privacy and DNSSEC

Shumon Huque <shuque@gmail.com> Wed, 29 April 2020 13:44 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6373A0FD2 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 06:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jMSw4oDW6mE for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 06:44:40 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6855B3A1019 for <dnsop@ietf.org>; Wed, 29 Apr 2020 06:44:26 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id n17so1590077ejh.7 for <dnsop@ietf.org>; Wed, 29 Apr 2020 06:44:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T5W+zaG+1c85Ghysl5iDxjNxh0E3x08ieMJeUW4kZFk=; b=E5POCoiK0+CmnHPhxC20IDGwrjOBUWMgTHUqtTjN2CT0d+D/Lp5yUu+R3cnxK/ifmn Pndv27K2sY9sUcfojQXNRiwQG/3uy7V4YF/n8emvxOHilenmtTAOH/dRMNp+qs4tVrpv ooEiogxwGb3sG/o8oDbaXO04PSzFSVPVAKUhDMLdMEMl6uZ5nKTW8knqnFhB+vHL6lyl dKZis49PAjDPPLQ74dNLcIZVySD+eAcjLydcyoxvOF9f75TICRaj9RX5v/33dKwYFOly sf0sxEfcHqOzpLMqWtDv16GEkKCU0z8Tvy3XabvWN2ItZJLTHF0TdtxLd9MUvm3Oqhz1 0xtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T5W+zaG+1c85Ghysl5iDxjNxh0E3x08ieMJeUW4kZFk=; b=bXwmT58ISKy1UWfJhRr4vNCMUW/iWVeyilOZF07WeZjhBfxMNNcDjEtWB5vXFMdt+n YcwAYMofhqdN/ceXeBmbF7ZKjj0rV5aboXxSFP4TXo8f3lDnuAU7ZlI3QCZIqATgXFG2 FPgPjzDyagAmPjA8UHAcpk3h5kjQikNNuRw7dTTf+NjeE/0NGxQydsVGvPt2pYMW+GV0 8lwV5Aem9dtmne2vDgNTRWUwPP0Xh/p8rQvNP0RlxQQIum1JCm9LiHDxbgoMjowHJslG NMAbVg3pxt8x59WTnhJNT32GndAu14PICL++Stnsd1OTgste/hNAEuKAY8yLifFwILuq xRCw==
X-Gm-Message-State: AGi0PuYXeJmG/lt23HLOgTqEejeAkZukBM1ysbPESsn9eNYjBCrKh8jF J1/a01raG+XX1/EHb/zMVOaALPSjedJBGDxZsyU=
X-Google-Smtp-Source: APiQypKdjT0CDxmi2v7wQpEoketIQ9urYGA5NXI4HzLAFDJUYjJkmsIS/WPID4pGrc/t4XrKqCu9CV14YjkFw/j0U9Y=
X-Received: by 2002:a17:906:3584:: with SMTP id o4mr2741908ejb.70.1588167864842; Wed, 29 Apr 2020 06:44:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <18685549.zqRq8fnmLB@linux-9daj> <CAHPuVdXBaBG27v2hyD1bpp+9YxC5BvTjL5ojqXw7yc17Ufpk7A@mail.gmail.com> <21757930.7KVZAQyxnt@linux-9daj>
In-Reply-To: <21757930.7KVZAQyxnt@linux-9daj>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 29 Apr 2020 09:44:12 -0400
Message-ID: <CAHPuVdWoWUmYCfx3mv1J9iiDmMzV=YCytsn8xwSf_u_nOUmj4g@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d7e1605a46e252f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/On4wJtfw_YGbTH8PddVXYoB5V3I>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 13:44:44 -0000

On Wed, Apr 29, 2020 at 12:49 AM Paul Vixie <paul@redbarn.org> wrote:

> On Wednesday, 29 April 2020 01:17:04 UTC Shumon Huque wrote:
> > ...
> >
> > Paul - I guess I'm missing some background here. In what sense did
> > getting DS working throw validating stubs overboard? Do you mean it
> > took the focus away from them?
>
> no. i mean that the decision to require a "clear path" for DNSSEC meant
> that
> no DNSSEC-dependent application has ever received investment. for example,
> DANE is interesting in the SMTP market because that's small and geeky, but
> will never be adopted by the Web because there are too many endpoints who
> cannot do stub validation and too many who will never be able to.
>

Ah, thanks for clarifying.

In that case, I would not characterize this as "DS throwing stubs under the
bus",
but just as a more general challenge with DNSSEC. A validating stub needs to
not only have a clean path to issue and obtain DS responses from an upstream
RDNS, but more generally, also be able to issue CD=1, EDNS/DO=1, queries
for
arbitrary record types including, critically DNSKEY. If any of this is
blocked by a
middlebox, there will be a problem.

This is by no means a problem unique to DNSSEC. Many new protocol features
have and continue to face the middlebox challenge: SCTP, TCP fast open,
multi-
path TCP, QUIC, TLS 1.3 etc. Some have developed workarounds with varying
degrees of success, some like SCTP have more less died. The web has the
advantage (in my opinion) that a small number of browsers are able to impose
changes on the middlebox ecosystem in a way that the DNS will never be able
to.

I certainly agree that the clean path issue is a big impediment for
something like
DANE. I don't think I want to repeat the long and contentious history of
the TLS
DNSSEC chain extension effort which was designed to address this for the
Web,
but you can read my take on it here if you're bored:
https://blog.apnic.net/2019/07/05/whither-dane/

As I mentioned in a previous note, DNS over HTTPS (however one might feel
about current deployment models and such), can probably provide the clean
path that end user applications of DANE need.

Shumon Huque

v2.23.0 | Report a Bug | By Email