IETF Logo Mail Archive

Re: [DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]

Paul Wouters <paul@nohats.ca> Fri, 25 September 2020 21:21 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9B13A09D8 for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HNgmoN0oVH8 for <dnsop@ietfa.amsl.com>; Fri, 25 Sep 2020 14:21:09 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ACA83A09D5 for <dnsop@ietf.org>; Fri, 25 Sep 2020 14:21:09 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BylFv5sqJzDRT; Fri, 25 Sep 2020 23:21:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1601068867; bh=Se+0mBqEXnTgtBdZn6fjHbHM1kxrsgHHqvBwPsQTP9E=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=UnLZSmje5meALtjAv1aeOx3Zg8WFZmBg6jqn73hDhJ5AaQzuh1bYUQ3eH9egBmvez YGTfPvYoMW2lhX2CWbL6Z/XqSnHBAHT+dBE9VwKvSUU5upGhdevCKrAoSHK/bAfKLW b3W3T5VEh6zppUXBKVnP+Tuh0vcj/uFwCDv2EQpQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id MNjErB2YBj81; Fri, 25 Sep 2020 23:21:06 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 25 Sep 2020 23:21:06 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id DA6046029B99; Fri, 25 Sep 2020 17:21:04 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D1BCC66AF7; Fri, 25 Sep 2020 17:21:04 -0400 (EDT)
Date: Fri, 25 Sep 2020 17:21:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <CAHbrMsA6mV6zc+DimTLqXC038WhDFEmKi7HOWin4Dg1QstwrQg@mail.gmail.com>
Message-ID: <alpine.LRH.2.23.451.2009251714390.1634044@bofh.nohats.ca>
References: <160096974346.12277.16853345396397035889@ietfa.amsl.com> <702a5de3ddcef844aeb80b4c071ee9559aaac650.camel@powerdns.com> <alpine.LRH.2.23.451.2009242244031.1610064@bofh.nohats.ca> <CAHbrMsA6mV6zc+DimTLqXC038WhDFEmKi7HOWin4Dg1QstwrQg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kZMggHxedqn8F-ysFSdb_aqisuY>
Subject: Re: [DNSOP] [Fwd: New Version Notification for draft-peetterr-dnsop-parent-side-auth-types-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 21:21:12 -0000

On Thu, 24 Sep 2020, Ben Schwartz wrote:

> I would certainly be concerned about such a scenario, but I don't understand how it's relevant to Peter's proposal. 
> Couldn't this already be done today, by simply including such a hypothetical "parent opinion" record in the glue?
> 
> For the scenario you're describing, the present lack of DNSSEC authentication would not seem to be an obstacle.

middlewhere (voluntarilly or mandated) would not be able to trust glue
for security decisions. where as they might be able to trust parental
signed data.

Of course, any goverment party can publish a list of directives in their
publications and law books, but if those are technically weak or even
formally unprovable, implementation and enforcement will be impossible.

You can also look at it from the reverse way. If the parent wants to
publish anything about the child, even if it received it from the
child, it can already do so using a prefix in its own zone, eg:

_nohats._parentalguidance.ca.	IN DNSKEY <blob>
_nohats._parentalguidance.ca.	IN DS <blob>
_nohats._parentalguidance.ca.	IN TXT <blob>

No DNS infastructure or protocol changes are required for this.

Paul

> On Thu, Sep 24, 2020 at 10:53 PM Paul Wouters <paul@nohats.ca> wrote:
>
>       [added hrpc to CC: list]
>
>       On Thu, 24 Sep 2020, Peter van Dijk wrote:
>
>       > When talking to Petr Spacek about this, he came up with the following:
>       > -if-, long enough ago, besides DS, a range of RRtype numbers would have
>       > been reserved with the same processing rules, i.e. these types live in
>       > the -parent- and not on the -child-, then both DSPKI and NS2T could
>       > become parent side records through the simple act of requesting an
>       > IANA allocation from that special range.
>
>       That is an incredibly dangerous idea. It is basically a wildcard from
>       the parent to make claims about the child, that the child cannot
>       control. You can imagine many kind of RRTYPEs that be be used, eg:
>
>       ADULT_CONTENT
>       POLITICAL_SPEECH
>       GOVERNMENT_BLOCKED
>       MONITOR_USERS
>       GEOGRAPHIC_CONSTRAINT
>
>       Of course, governments can already dictate that ISPs do any of these
>       things, but with this proposal you are giving them an awesome censorship
>       tool. And anyone not complying to the RFCs implementing these, could be
>       in clear violation of the working of the internet and should be punished.
>
>       Letting the parent make arbitrary statements about the DNS child is too
>       dangerous a tool to roll out.
>
>       Partially this can be mitigated by making the registry Internet Standard
>       Required, but that would put a lot of pressure on IETF and DNSOP later
>       on - pressure that is not technical in nature, but political.
>
>       I understand the desire for "if we need the parent to say something
>       about the child in the future, we would already have the infrastructure
>       running". Indeed, it is a neat idea. But too dangerous.
>
>       Paul
>
>       > Name:           draft-peetterr-dnsop-parent-side-auth-types
>       > Revision:       00
>       > Title:          Parent-side authoritative DNS records for enhanced delegation
>       > Document date:  2020-09-24
>       > Group:          Individual Submission
>       > Pages:          5
>       > URL:            https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt
>       > Status:         https://datatracker.ietf.org/doc/draft-peetterr-dnsop-parent-side-auth-types/
>       > Html:           https://www.ietf.org/id/draft-peetterr-dnsop-parent-side-auth-types-00.html
>       > Htmlized:       https://tools.ietf.org/html/draft-peetterr-dnsop-parent-side-auth-types-00
>
>       _______________________________________________
>       DNSOP mailing list
>       DNSOP@ietf.org
>       https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
>

v2.23.0 | Report a Bug | By Email