IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Witold Krecicki <wpk@isc.org> Sat, 06 July 2019 23:59 UTC

Return-Path: <wpk@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF81A120105 for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 16:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIGmbimfTe7p for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 16:59:54 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C91F1200FD for <dnsop@ietf.org>; Sat, 6 Jul 2019 16:59:54 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 22A753AB005; Sat, 6 Jul 2019 23:59:53 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id F057B160055; Sat, 6 Jul 2019 23:59:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DAF13160068; Sat, 6 Jul 2019 23:59:52 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OR-dVHJqzktU; Sat, 6 Jul 2019 23:59:52 +0000 (UTC)
Received: from [192.168.69.142] (unknown [31.179.189.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 217FD160055; Sat, 6 Jul 2019 23:59:51 +0000 (UTC)
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop@ietf.org
References: <20190706213024.GA56650@isc.org> <CAJhMdTMwCiAS+S_j-i3BXPZ=G1zVhAq+YKH07RsDWRgezPhejg@mail.gmail.com> <caa695e7-21e6-9c41-1814-1f4c1d64df7f@isc.org> <CAJhMdTPK3iqg4sF0Kr+jGAXTf2MZ8FAP0DgwQw1kVBHa65wTNA@mail.gmail.com> <191886397.1948062.1562455685612.JavaMail.zimbra@isc.org> <CAJhMdTNvO=TjNUV=6wHwLJB_c+tqwk4zY24jGbi5a0SqdSUsag@mail.gmail.com>
From: Witold Krecicki <wpk@isc.org>
Message-ID: <561203a3-7fd9-94cc-5b13-3639b123f8e2@isc.org>
Date: Sun, 07 Jul 2019 01:59:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <CAJhMdTNvO=TjNUV=6wHwLJB_c+tqwk4zY24jGbi5a0SqdSUsag@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PIqSKwkF5ZRa-MDrl7lsqR5FLG8>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 23:59:56 -0000

W dniu 07.07.2019 o 01:46, Joe Abley pisze:
> On Jul 6, 2019, at 19:28, Witold Krecicki <wpk@isc.org> wrote:
> 
>> Exactly - while the things you mentioned are configuration options that
>> are 'human generated', the ZSK rollover should be, in the ideal case,
>> something that happens automatically, without any human intervention.
> 
> It wouldn't necessarily be harmful to be able to update those other
> things automatically, too. Things like master servers and NOTIFY
> targets perhaps change less frequently or predictably than a ZSK, but
> in times of emergency all could benefit from a well-designed,
> automated and secure mechanism to handle changes.
> 
> TSIG secrets are rarely rolled in practice, in my experience, and
> being able to improve upon that also seems useful.
> 
> I still wonder whether what you're proposing really only solves one of
> a wider set of problems, and whether doing it in the DNS really makes
> sense. Perhaps a standardised, out-of-band provisioning protocol would
> be better.
> 
> We might have a need to exchange some other kind of metadata between
> authoritative servers for a zone in the future, eg relating to secure
> transports or privacy. The idea of being able to provide a general
> solution to solve future such problems seems attractive.
> But why put it out-of-band when it can be in-band? This draft is just an
'umbrella' - you can put whatever you want there, and you can be sure it
won't be leaked. There can be a special RR type for master servers - in
COVERT range, there can be a special RR type for TSIG keys - in COVERT
range. It can be used for any type of metadata.
Note: I'm considering adding a 'private' covert range, for
implementation-specific things (just like we have a general 'private' RR
types range).

-- 
Witold

v2.23.0 | Report a Bug | By Email