IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC

Paul Wouters <paul@nohats.ca> Thu, 12 August 2021 19:48 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6813A47C7; Thu, 12 Aug 2021 12:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NIjfjWtoCcUZ; Thu, 12 Aug 2021 12:48:17 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4548A3A47C5; Thu, 12 Aug 2021 12:48:16 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Gly0Q1MmXzFHS; Thu, 12 Aug 2021 21:48:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1628797686; bh=SA3V3oI0LtlT21Pb72QHKGPH30/CPky2s2HlXsPr9u8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ecd7VhUPCkAiYXb6eEpl/LPpfJ3SibaLCLdEicUz5AK0rzQKjzMAFlkYmADkTgPQt ZmrVKHWq9P/jTP2lsX3AMAYzwAqAowsnjRN+DPzvuFZQ2+Q9/MDx+pgJI4kTEk6oQu SlHyukOSz99dv/Ai2dkDklUa3Da8Y5LddHx74+/k=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id YRYs8G_wFhyI; Thu, 12 Aug 2021 21:48:05 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 12 Aug 2021 21:48:04 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C7C80DE22E; Thu, 12 Aug 2021 15:48:03 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C3A1BDE22D; Thu, 12 Aug 2021 15:48:03 -0400 (EDT)
Date: Thu, 12 Aug 2021 15:48:03 -0400
From: Paul Wouters <paul@nohats.ca>
To: Joe Abley <jabley@hopcount.ca>
cc: Olafur Gudmundsson <ogud@ogud.com>, Tim WIcinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
In-Reply-To: <2A137295-D5FC-4FDA-9270-88FEF9A60265@hopcount.ca>
Message-ID: <48c1577-59f-5255-ac4-b8931d0d9b2@nohats.ca>
References: <7216daac-3446-3481-a358-d1b11c92a2d@nohats.ca> <2A137295-D5FC-4FDA-9270-88FEF9A60265@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kEg1bxGVi0kyBmdzbfaESip_tmg>
Subject: Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2021 19:48:23 -0000

On Thu, 12 Aug 2021, Joe Abley wrote:

>> This would have been excellent to do when we did DS. It would still be
>> good to do this now, I agree. But it would be too late for some of the
>> things discussed now.
>
> Can you talk more about why you think so?

I did a small presentation during IETF 111 DPRIVE. You can find the
presentation deck and the recording on the IETF site.

> Support for novel interpretations of particular DS algorithms will require support on both the provisioning and consumer side. Is it really that much more work to specify new DS-like RRTypes?

It does not neccessarilly require support on the provisioning side, as
it is "just another DS record" from the provisioning point of view
unless lawyers insisted the TLD somehow verifies the pubkey is
pre-published or in an algorithm they 'support' (allow).

> There's truck-roll in both cases. Neither path is really going to make these features generally available any time soon.

There is a huge difference between "support for a DS record with
unknown or unexpected content at the RRR level" and "change all
DNS and EPP software on the planet". The first one has like 1500
actors. The second has millions or billions.

And as I argued, even if we do this by overloading DS or NS, is that
overloading really something we need? As it is only required for
privacy to nameservers that are in-bailiwick to the domain, which in
itself is already pretty much a dead give away even when you only
can observe encrypted TLS traffic to an IP address of a well known
published nameserver.

So my own order of preference is likely something like:

1) Forget about protecting in-bailiwick nameservers
2) Do it securely using DS at parent
    (only requires new code for validating nameservers that don't exist yet)
3) Do it insecurely using NS at parent
    (only requires new code for validating nameservers that don't exist yet)
4) Wait for SVCB at parent near universal deployment
    (requires widepsread recursive and authoritative updates, EPP updates, webgui updates)
5) do 3) until 4)
    (I can't even)

I guess somewhere between 2) and 5) would be "another out of band hack"

Paul

v2.23.0 | Report a Bug | By Email