Re: [DNSOP] Privacy and DNSSEC
Shumon Huque <shuque@gmail.com> Wed, 29 April 2020 13:44 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6373A0FD2 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 06:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jMSw4oDW6mE for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 06:44:40 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6855B3A1019 for <dnsop@ietf.org>; Wed, 29 Apr 2020 06:44:26 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id n17so1590077ejh.7 for <dnsop@ietf.org>; Wed, 29 Apr 2020 06:44:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T5W+zaG+1c85Ghysl5iDxjNxh0E3x08ieMJeUW4kZFk=; b=E5POCoiK0+CmnHPhxC20IDGwrjOBUWMgTHUqtTjN2CT0d+D/Lp5yUu+R3cnxK/ifmn Pndv27K2sY9sUcfojQXNRiwQG/3uy7V4YF/n8emvxOHilenmtTAOH/dRMNp+qs4tVrpv ooEiogxwGb3sG/o8oDbaXO04PSzFSVPVAKUhDMLdMEMl6uZ5nKTW8knqnFhB+vHL6lyl dKZis49PAjDPPLQ74dNLcIZVySD+eAcjLydcyoxvOF9f75TICRaj9RX5v/33dKwYFOly sf0sxEfcHqOzpLMqWtDv16GEkKCU0z8Tvy3XabvWN2ItZJLTHF0TdtxLd9MUvm3Oqhz1 0xtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T5W+zaG+1c85Ghysl5iDxjNxh0E3x08ieMJeUW4kZFk=; b=bXwmT58ISKy1UWfJhRr4vNCMUW/iWVeyilOZF07WeZjhBfxMNNcDjEtWB5vXFMdt+n YcwAYMofhqdN/ceXeBmbF7ZKjj0rV5aboXxSFP4TXo8f3lDnuAU7ZlI3QCZIqATgXFG2 FPgPjzDyagAmPjA8UHAcpk3h5kjQikNNuRw7dTTf+NjeE/0NGxQydsVGvPt2pYMW+GV0 8lwV5Aem9dtmne2vDgNTRWUwPP0Xh/p8rQvNP0RlxQQIum1JCm9LiHDxbgoMjowHJslG NMAbVg3pxt8x59WTnhJNT32GndAu14PICL++Stnsd1OTgste/hNAEuKAY8yLifFwILuq xRCw==
X-Gm-Message-State: AGi0PuYXeJmG/lt23HLOgTqEejeAkZukBM1ysbPESsn9eNYjBCrKh8jF J1/a01raG+XX1/EHb/zMVOaALPSjedJBGDxZsyU=
X-Google-Smtp-Source: APiQypKdjT0CDxmi2v7wQpEoketIQ9urYGA5NXI4HzLAFDJUYjJkmsIS/WPID4pGrc/t4XrKqCu9CV14YjkFw/j0U9Y=
X-Received: by 2002:a17:906:3584:: with SMTP id o4mr2741908ejb.70.1588167864842; Wed, 29 Apr 2020 06:44:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <18685549.zqRq8fnmLB@linux-9daj> <CAHPuVdXBaBG27v2hyD1bpp+9YxC5BvTjL5ojqXw7yc17Ufpk7A@mail.gmail.com> <21757930.7KVZAQyxnt@linux-9daj>
In-Reply-To: <21757930.7KVZAQyxnt@linux-9daj>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 29 Apr 2020 09:44:12 -0400
Message-ID: <CAHPuVdWoWUmYCfx3mv1J9iiDmMzV=YCytsn8xwSf_u_nOUmj4g@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d7e1605a46e252f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/On4wJtfw_YGbTH8PddVXYoB5V3I>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 13:44:44 -0000
On Wed, Apr 29, 2020 at 12:49 AM Paul Vixie <paul@redbarn.org> wrote: > On Wednesday, 29 April 2020 01:17:04 UTC Shumon Huque wrote: > > ... > > > > Paul - I guess I'm missing some background here. In what sense did > > getting DS working throw validating stubs overboard? Do you mean it > > took the focus away from them? > > no. i mean that the decision to require a "clear path" for DNSSEC meant > that > no DNSSEC-dependent application has ever received investment. for example, > DANE is interesting in the SMTP market because that's small and geeky, but > will never be adopted by the Web because there are too many endpoints who > cannot do stub validation and too many who will never be able to. > Ah, thanks for clarifying. In that case, I would not characterize this as "DS throwing stubs under the bus", but just as a more general challenge with DNSSEC. A validating stub needs to not only have a clean path to issue and obtain DS responses from an upstream RDNS, but more generally, also be able to issue CD=1, EDNS/DO=1, queries for arbitrary record types including, critically DNSKEY. If any of this is blocked by a middlebox, there will be a problem. This is by no means a problem unique to DNSSEC. Many new protocol features have and continue to face the middlebox challenge: SCTP, TCP fast open, multi- path TCP, QUIC, TLS 1.3 etc. Some have developed workarounds with varying degrees of success, some like SCTP have more less died. The web has the advantage (in my opinion) that a small number of browsers are able to impose changes on the middlebox ecosystem in a way that the DNS will never be able to. I certainly agree that the clean path issue is a big impediment for something like DANE. I don't think I want to repeat the long and contentious history of the TLS DNSSEC chain extension effort which was designed to address this for the Web, but you can read my take on it here if you're bored: https://blog.apnic.net/2019/07/05/whither-dane/ As I mentioned in a previous note, DNS over HTTPS (however one might feel about current deployment models and such), can probably provide the clean path that end user applications of DANE need. Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie