Re: [DNSOP] Privacy and DNSSEC

[Paul Vixie <paul@redbarn.org>]

mind if i cut in?

On Saturday, 25 April 2020 06:23:54 UTC Vladimír Čunát wrote:
> Original subject: New draft on delegation revalidation
> 
> On 4/24/20 4:49 PM, Shumon Huque wrote:
> > ...
> 
> ...

(agreeableness.)

> Still, note that for some consumers the secure transport may be an
> argument to drop validating DNSSEC themselves.  If they choose some DNS
> provider that they trust with privacy (it might be their ISP), it seems
> not a huge leap to trust them with DNS integrity as well (say, the
> provider doing DNSSEC validation).  Especially as today "regular users"
> don't get that much benefit from validation, mostly relying on
> https/tls.

i hope there's some use for DNS results beyond introducing me to an X.509 
authenticated web server. for example i might use DNS to validate an X.509 
self-signed certificate along the lines of DANE. to me this means the goal we 
followed for DNSSEC (authenticate what goes into an RDNS cache) was too 
narrow, and the difficulties of getting stub validation working should have 
been avoided from the outset (in 1996, that was.)

> Some of them also want a variant of DNS filtering, which
> still clashes with validation a bit (if done *after* filtering).

it will be necessary for filtered results to be separately (hop by hop) signed 
using something like SIG(0) or TSIG. (stubs ought to choose who can filter.) 
but this isn't a substitute for stub validation (end to end). one ought not 
trust a coffee shop or even one's own ISP to make a trusted introduction to 
one's bank (more or less quoting dan kaminsky from back in 2008 or so.)

-- 
Paul