IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt

Ben Schwartz <bemasc@google.com> Fri, 12 February 2021 18:38 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B14BA3A0975 for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 10:38:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mowKqv7mtmYq for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 10:38:15 -0800 (PST)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B48443A09BC for <dnsop@ietf.org>; Fri, 12 Feb 2021 10:38:15 -0800 (PST)
Received: by mail-io1-xd31.google.com with SMTP id p132so143617iod.11 for <dnsop@ietf.org>; Fri, 12 Feb 2021 10:38:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bDeOzcwXuTVXYwamN/tIrMARkTnv+dwCiuvKNjAay0I=; b=af1UBv9dI4Cks1IpQ+RfyliVd+KMeSZ4hznME6AP7vrqp25O+mfJMN0rBD/9yCiEVj vQSO7IC2UwBih8G2sJsGecvFQX/xcMKOWrc43hQbj0T3EPLHe6U/eWLEVvjMFlkO2wIv K+uaclI9HaSQ6iBh3Ce+MjtWdiTPiBT9W3VvZCI1zjT2SjMgYb2fTZLJRulh9p9aJ8TD enxEX1FrI5R2JFhCOIPKw2WePNjAn8h1v/IjeAUWr6Tgbj4cXD1gDq/J4DrHSKAvVver I53eWo3FbHO8QcGLfckAD99Ui3DP0potb6QI9xNdcw3OOz7RUphtqwkImDJv7howi5Ub 1Bgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bDeOzcwXuTVXYwamN/tIrMARkTnv+dwCiuvKNjAay0I=; b=WSXpT36qClgXm3SSUUhbDvVY5baVESeoBjnpqNsoV40Ui0j2aHBSfOE2OpTp4vgDgK oyg3xIXanj1OKnHPHHYH4b9IJ8S6XoO3qUjl85ZJaA2HgOd3Ya/aYVAWVC0fKnKB3c+i AQo+2xmmM5b5ZhrWJT+LfriWfu4Cy85HwnEQ43MZYONj/MX9Jer/Nr1eL1zuowBu8vA+ fkndFS6msFco1k6LP4lJg139fT9jz87lOfxXQt/CwwoZdm+iHqaMNtn6RM+kQpb/5zbQ BLKOugDkuHQHY6XAW2r0WvYjPmCaWhd9N3jJjsr3bgcpCU174W3yGZKErT5v5q2IxPx/ 3QfQ==
X-Gm-Message-State: AOAM532HF1+dt8sUOrxi13rmeE0EWcbbOnKGclNvxK0IiwVjYDZmgmBd PFJ4tvjTsIuuey5sUSfbRW37Oflnhp7S3BYaMAeBbg==
X-Google-Smtp-Source: ABdhPJzA/iKhaBRHmz/LqGzwuJq6v+4XPe71z2FvCrdqFV8wy4QfMwjmX/OmW1sRDkD66i3++qp0slB1oYo6FrBgWLY=
X-Received: by 2002:a5d:8490:: with SMTP id t16mr3108514iom.91.1613155088919; Fri, 12 Feb 2021 10:38:08 -0800 (PST)
MIME-Version: 1.0
References: <161314515808.27869.12735398190429691375@ietfa.amsl.com> <A4EE4B99-A7F7-452E-9E3E-10277D15837A@hopcount.ca>
In-Reply-To: <A4EE4B99-A7F7-452E-9E3E-10277D15837A@hopcount.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 12 Feb 2021 13:37:57 -0500
Message-ID: <CAHbrMsDiHm+cz+i8QetgVS=KNsoLVJb-XqH1rCrkF3XnTn_zfQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000005aeac305bb27f04b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fUn9628W7OF1OjcC7rtpHBaTIe0>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 18:38:18 -0000

This is a fun proposal, Joe.  (I think it should probably also go to
DPRIVE, although it's mostly the same folks.)

Regarding the Security Considerations, I would suggest that REFER-aware
recursive resolvers (1) should also implement QNAME minimization, and (2)
should send a REFER query in parallel with any shortened-QNAME query.  It
seems to me that should be roughly sufficient to prevent the downgrade
attack (if the parent is signed) without adding latency.

On Fri, Feb 12, 2021 at 11:08 AM Joe Abley <jabley@hopcount.ca> wrote:

> Hi all,
>
> I have discovered that without liberal access to bars and hallways at
> in-person IETF meetings, I no longer know how to tell the difference
> between ambition and insanity when it comes to technical proposals. I am
> quite prepared to find out that in this case the needle is at the crazy end
> of the scale.
>
> Happy Friday!
>
>
> Joe
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **New Version Notification for draft-jabley-dnsop-refer-00.txt*
> *Date: *12 February 2021 at 10:52:38 EST
> *To: *"Joe Abley" <jabley@pir.org>
>
>
> A new version of I-D, draft-jabley-dnsop-refer-00.txt
> has been successfully submitted by Joe Abley and posted to the
> IETF repository.
>
> Name: draft-jabley-dnsop-refer
> Revision: 00
> Title: REFER: A New Referral Mechanism for the DNS
> Document date: 2021-02-12
> Group: Individual Submission
> Pages: 14
> URL:
> https://www.ietf.org/archive/id/draft-jabley-dnsop-refer-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-jabley-dnsop-refer/
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-jabley-dnsop-refer
> Htmlized:       https://tools.ietf.org/html/draft-jabley-dnsop-refer-00
>
>
> Abstract:
>   The Domain Name System (DNS) incorporates a namespace that is
>   comprised, in practice, of multiple so-called zones.  Each zone is,
>   in principal, a finite tree structure which can be administered
>   autonomously, and is connected to exactly one parent zone and zero or
>   more child zones.  These connection points are known as zone cuts; a
>   parent zone contains information that allows the servers responsible
>   for the child zone to be found.
>
>   The current DNS specification encodes that information about child
>   zones using an "NS" resource record set in the parent zone, and a
>   corresponding "NS" resource record set in the child zone.  These two
>   resource record sets have identical owner names, class, and resource
>   record type but can differ in other respects such as the time-to-live
>   (TTL) attribute, the resource record data associated with each set
>   and the availability of cryptographic signatures.  This property of
>   being similar, related but potentially different has led to
>   operational complexity.
>
>   This document proposes a change to how zone cuts are encoded in the
>   parent zone, allowing the resource records in the parent and the
>   child zone to be more clearly distinguished and protected separately
>   using cryptographic signatures.
>
>   It is not at all clear that this is a good idea.  To restate in
>   stronger terms, the goal of the experiment described in this document
>   is to determine just how bad an idea this is.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email