Re: [DNSOP] new Resource record?
"Hosnieh Rafiee" <ietf@rozanak.com> Fri, 18 December 2015 16:45 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C431F1B3716 for <dnsop@ietfa.amsl.com>; Fri, 18 Dec 2015 08:45:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNAj05QhM9Dg for <dnsop@ietfa.amsl.com>; Fri, 18 Dec 2015 08:45:26 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DC231B370E for <dnsop@ietf.org>; Fri, 18 Dec 2015 08:45:26 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id F274925CA0C2 for <dnsop@ietf.org>; Fri, 18 Dec 2015 16:45:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6MIpzWTrteT for <dnsop@ietf.org>; Fri, 18 Dec 2015 17:44:50 +0100 (CET)
Received: from kopoli (unknown [212.201.111.68]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 2588325CA029 for <dnsop@ietf.org>; Fri, 18 Dec 2015 17:44:50 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: dnsop@ietf.org
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com> <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net> <D28EEA44.11EBA%edward.lewis@icann.org> <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com> <20151211195750.GR11836@mournblade.imrryr.org>
In-Reply-To: <20151211195750.GR11836@mournblade.imrryr.org>
Date: Fri, 18 Dec 2015 17:44:49 +0100
Message-ID: <002501d139b3$6993fb10$3cbbf130$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIcBJevjW3fUkks0ks22EN/+5YHPQHdFNL/ATJZcqAB1RF0ywFBPkSYngonNRA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/WQ0ErRj90tlOW-BR5NxoHNG5tkM>
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 16:45:27 -0000
Hi Viktor, Thanks a lot for your response and sorry for delaying my response. > On Thu, Dec 10, 2015 at 09:56:26PM +0100, Hosnieh Rafiee wrote: > > > > Second, from the quick description, I don't quite understand what > > > you want to solve. Not complaining, but in preparing to ask for a > > > new type, the use case might need to be clearer. > > > > Authentication and authorization in multi-tenancy environment where it > > is based on certificates and TLS and not giving direct access to > > resource policy that belongs to the owner of infrastructure while at > > the same time giving flexibility to each tenant to delegate all or a > > part of its resources to third party. > > This is still much too vague. Is the goal here to turn DNS into something akin to > "Active Directory"? Perhaps a better design is to use DNS primarily for cross- > organizational key management (solving the "introduction" problem), and to > leave more fine-grained security policy storage to dedicated services such as > Kerberos, ... There've been mutterings of facilitating cross-realm Kerberos via > DANE, thus avoiding the need for manual pairwise shared keys. > The purpose is to reduce dependency to other services such as Active directory, etc. Since DNS is widely used in most infrastructure for providing the mapping of name to ip address for many devices, it is beneficial to re-use the same service for also authentication and authorization. So, to abit clearer, we are talking about the system that uses TLS based authentication, that is the certificates is also the identity of the device. There is usually less problem with first trust in first contact because usually there is agreement that during this agreement, this trust can be established. So, there is not so much worry about that. Therefore, automation for this is not the purpose but rather, mapping of authentication and authorization is the focus. Since authentication can be already achieved by DANE, we only need this mapping that can be also achieved by the introduction of a small resource record. I looked at Kitten charter, it does not cover the aspects, we are looking for and it covers something else which is out of scope of the work we want to do. > > I actually asked in the mailinglist whether their charter is open to > > having the bounding of authentication and authorization there since > > the purpose would be also use DANE. But what I heard (in private > > message exchanges) that they do not want to recharter to consider this. > > I was one of the off-list responders. I still think the scope was much too broad > (not well defined), and that a more narrow definition would likely suffice, > probably just use DANE TLSA to secure the transport, and do everything else > at higher layers (above the DNS). > I looked at Kitten charter, it does not cover the aspects, we are looking for and it covers something else which is out of scope of the work we want to do. So, if DNSOP is not a place to introduce a new resource record, then where is the place? That is the question. > A requirements draft might be the right starting point, and "aaa" > is much more of a topic for "kitten" than for DANE or DNSOP. Ok, I will draft it as a requirement and submit it. thanks Best, Hosnieh
- Re: [DNSOP] new Resource record? Patrik Fältström
- [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Edward Lewis
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Viktor Dukhovni
- Re: [DNSOP] new Resource record? Hosnieh Rafiee