IETF Logo Mail Archive

Re: [DNSOP] Privacy and DNSSEC

Shumon Huque <shuque@gmail.com> Tue, 28 April 2020 01:02 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D263A0659 for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 18:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTN5Gx6_uSsT for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 18:02:40 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C9403A0A94 for <dnsop@ietf.org>; Mon, 27 Apr 2020 18:02:40 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a2so15814908ejx.5 for <dnsop@ietf.org>; Mon, 27 Apr 2020 18:02:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=du2A9wJP09i/12VhKDrJfMpJH6kFt8ozqJj3R8yNgK0=; b=eng2IRuC8DwfcL1ocgWFLLIFisE0BcFieqg3nEDqrV9IwafHigXT2dd9S4DGF5Qst3 JW/678dMTRQ85vCN6WApUV9L6zbCVEAHR2v8fSfGlQtm0o1ZiqkRmcVnGODMgjx2zXZD QaHDes2Iu8s1qXYKen8go+1z5S+LH15zwrn4VrhlR0ja4OxC3WIePeI51DXERYsy7ub3 nAzBSvkfIbLoDEGxzop+Zlqe1YbvWsy6QCLCWru1bCazzdvdppI3Vae8Pz+FlpnOjltK WOlbYDRNEg/7Wv4aqiAqxtIXL0a8Z3vJboVgRxV9eBqZhLbEbEL85bvmVBEWhtZQyf+Y pd5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=du2A9wJP09i/12VhKDrJfMpJH6kFt8ozqJj3R8yNgK0=; b=Hns+ivuP4Qxe/3KFODQr7W7QjJ0B7TmFnvFvCmOYWIJMNa170J3qrTrM9QiEb06pAP kxxMBcT9qJGXHISxNz2iPw1COTC1X50eIJjaULtnwIlTTRaBCEHfMqinQtGsVCRzBA/J y5zZE6Gl/3AfWwVyYmvfltxnru3dlZ89LGeHe+pacDM+MR+sqCWLZBFXzl6hW1cw9cUJ grYtef94YrcyEnlpaVtEP4b/fN4nuVgyuUPeBpIvKrT/0XmVsZNf/CPz/K2tQxOPiCOL 4k4fnt3WDT1gxZQK8Axn1JTSkTxaH6fIZRmlHhYZvuP3Z3J1y+kr4nNxHWgB0GDretP/ X3bw==
X-Gm-Message-State: AGi0Pubynw2LR+BmRCDqj5jKyqPFJ5np9rLamMyzcUGAdVbXaeN8pYCG tWDnH2afIj9vezkyVHcNqF9sIKQCJL+EXkMtua8=
X-Google-Smtp-Source: APiQypITA++U7jJGzha5VOg8nUdHdlLj6mgp/HhdNxCfO8yjORU9jyGGWjXu3lveVqJ2b3h+bwfsak9ebXGfcKvCE2c=
X-Received: by 2002:a17:906:3da:: with SMTP id c26mr22692439eja.290.1588035758741; Mon, 27 Apr 2020 18:02:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAHPuVdUh4UTP5pH_X83pm8OvY7juEotSYT6FLbVyE4_S-ev9Bg@mail.gmail.com> <71d22908-b0a9-5f0c-585e-0d10aa3edc8a@nic.cz> <2119709.gsHikbp680@linux-9daj>
In-Reply-To: <2119709.gsHikbp680@linux-9daj>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 27 Apr 2020 21:02:27 -0400
Message-ID: <CAHPuVdX6EdJEB3k_QXHBPi5Yc+TLkV6T7__sFzocJnyHk0_cRQ@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004a5ea105a44f6367"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pAwnNRpxRx9MBgTKdSidfhRaXyY>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 01:02:42 -0000

On Sat, Apr 25, 2020 at 2:57 AM Paul Vixie <paul@redbarn.org> wrote:

> On Saturday, 25 April 2020 06:23:54 UTC Vladimír Čunát wrote:
> > Original subject: New draft on delegation revalidation
> >
> > Still, note that for some consumers the secure transport may be an
> > argument to drop validating DNSSEC themselves.  If they choose some DNS
> > provider that they trust with privacy (it might be their ISP), it seems
> > not a huge leap to trust them with DNS integrity as well (say, the
> > provider doing DNSSEC validation).  Especially as today "regular users"
> > don't get that much benefit from validation, mostly relying on
> > https/tls.
>
> i hope there's some use for DNS results beyond introducing me to an X.509
> authenticated web server. for example i might use DNS to validate an X.509
> self-signed certificate along the lines of DANE. to me this means the goal
> we
> followed for DNSSEC (authenticate what goes into an RDNS cache) was too
> narrow, and the difficulties of getting stub validation working should
> have
> been avoided from the outset (in 1996, that was.)
>

That was the goal that was largely followed, but was it the original goal?

The DNSSEC specs have always contemplated validating stub resolvers.
I think the Kaminsky cache poisoning scare inadvertently focussed our
efforts on solving the DNSSEC-to-RDNS problem to the exclusion of other
more complete possibilities.

There has certainly been work on validating stubs on the margin though:
getdns, stubby, etc, but those are only used by a small minority of tech
savvy users (as far as I'm aware).

The one significant impediment cited for validating stubs is the middlebox
last mile problem. Here again, there has been attempted work, e.g. the
TLS DNSSEC chain extension for TLS enabled applications. And DNS
over TLS/HTTPS could prove to be an enabler for validating stub resolvers
to obtain a clean, unmolested path to an upstream recursive service.

Shumon Huque

v2.23.0 | Report a Bug | By Email