Re: [DNSOP] new Resource record?
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 11 December 2015 19:57 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9105C1A09CF for <dnsop@ietfa.amsl.com>; Fri, 11 Dec 2015 11:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHrCtjjB6B4X for <dnsop@ietfa.amsl.com>; Fri, 11 Dec 2015 11:57:54 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D191A19FA for <dnsop@ietf.org>; Fri, 11 Dec 2015 11:57:52 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 21A8E284E32; Fri, 11 Dec 2015 19:57:51 +0000 (UTC)
Date: Fri, 11 Dec 2015 19:57:51 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: 'dnsop' <dnsop@ietf.org>
Message-ID: <20151211195750.GR11836@mournblade.imrryr.org>
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com> <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net> <D28EEA44.11EBA%edward.lewis@icann.org> <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/rBkD4QkPzpOYd5kndFAYdAQXA0w>
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 19:57:55 -0000
On Thu, Dec 10, 2015 at 09:56:26PM +0100, Hosnieh Rafiee wrote: > > Second, from the quick description, I don't quite understand what you want > > to solve. Not complaining, but in preparing to ask for a new type, the > > use case might need to be clearer. > > Authentication and authorization in multi-tenancy environment where it is > based on certificates and TLS and not giving direct access to resource > policy that belongs to the owner of infrastructure while at the same time > giving flexibility to each tenant to delegate all or a part of its resources > to third party. This is still much too vague. Is the goal here to turn DNS into something akin to "Active Directory"? Perhaps a better design is to use DNS primarily for cross-organizational key management (solving the "introduction" problem), and to leave more fine-grained security policy storage to dedicated services such as Kerberos, ... There've been mutterings of facilitating cross-realm Kerberos via DANE, thus avoiding the need for manual pairwise shared keys. > I actually asked in the mailinglist whether their charter is open to having > the bounding of authentication and authorization there since the purpose > would be also use DANE. But what I heard (in private message exchanges) > that they do not want to recharter to consider this. I was one of the off-list responders. I still think the scope was much too broad (not well defined), and that a more narrow definition would likely suffice, probably just use DANE TLSA to secure the transport, and do everything else at higher layers (above the DNS). A requirements draft might be the right starting point, and "aaa" is much more of a topic for "kitten" than for DANE or DNSOP. -- Viktor.
- Re: [DNSOP] new Resource record? Patrik Fältström
- [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Edward Lewis
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Viktor Dukhovni
- Re: [DNSOP] new Resource record? Hosnieh Rafiee