Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
Shane Kerr <shane@time-travellers.org> Tue, 30 August 2016 07:00 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CADE212D126 for <dnsop@ietfa.amsl.com>; Tue, 30 Aug 2016 00:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEt2QN3Af5k5 for <dnsop@ietfa.amsl.com>; Tue, 30 Aug 2016 00:00:55 -0700 (PDT)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E62D12D124 for <dnsop@ietf.org>; Tue, 30 Aug 2016 00:00:55 -0700 (PDT)
Received: from [240c:f:0:11:4efb:39ab:b7cd:a92f] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1bed2P-0006mU-P4; Tue, 30 Aug 2016 07:00:50 +0000
Date: Tue, 30 Aug 2016 15:00:29 +0800
From: Shane Kerr <shane@time-travellers.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20160830150029.512e1ce5@pallas.home.time-travellers.org>
In-Reply-To: <9E342C42-7649-4776-BA22-DF9F5A84654A@vpnc.org>
References: <20160708223044.32131.72663.idtracker@ietfa.amsl.com> <8FD4B2FF-9E51-4FF3-829A-1D4D7CFAB19E@vpnc.org> <9E342C42-7649-4776-BA22-DF9F5A84654A@vpnc.org>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; boundary="Sig_//XClEx0yNh=u_BqJQ/ikMp2"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lERbh3n_pLAhwWbRWfkLXnxU2XQ>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2016 07:00:58 -0000
Paul, At 2016-08-10 16:54:39 -0700 "Paul Hoffman" <paul.hoffman@vpnc.org> wrote: > [[ A month later, we're still eager to hear responses to the draft. We > got a few that we have incorporated for a new version, but want to be > sure we're on the right track before we move ahead. ]] I'm back from vacation and catching up on old mail. I decided to go through this draft instead of finishing that. ;) I have a couple questions about the Key Tag Query. (Apologies if these have been discussed already - I do remember some mention of the first question in a meeting so maybe it has been discussed and discarded.) First, can we please just use the decimal version of the Key Tag values? As an operator it sure is easier to be able to cut & paste from a log instead of having to use "bc" or Python to convert from the hex to the value that is actually in all of my configuration files everywhere. Second, the easiest way for a querier to use this might be to set up a cron job that grabs the anchor information out of a configuration file and sends it via "dig". That doesn't require any support from any software beyond what I have today, but it doesn't match the idea of sending it at the same time as a DNSKEY query. Finally, the security concerns section got me to thinking about ways to send the trust anchor information in an encrypted way. I don't see an easy way to do this in the DNS itself, but we could use HTTPS for this. A zone could add a RR something like: _dns-trust-anchor-reporting._tcp.$ZONE. $TTL IN SRV 0 1 443 an.example Then a resolver could use a RESTful query like: https://an.example/$ZONE/$SRVID/keytag1,keytag2,keytag3 If we really wanted to keep it in DNS do something similar but submit a DNS over TLS query instead. Maybe: _dns_trust_anchor_reporting._tcp.$ZONE. $TTL IN SRV 0 1 853 an.example Then the resolver could use the Key Tag query. This also has a slight advantage of only reporting information to trust anchor operators who plan on doing something with the data. It does require DNS over TLS support though.... Cheers, -- Shane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… tjw ietf
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Shane Kerr
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Wessels, Duane