IETF Logo Mail Archive

Re: [DNSOP] new Resource record?

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 11 December 2015 19:57 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9105C1A09CF for <dnsop@ietfa.amsl.com>; Fri, 11 Dec 2015 11:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHrCtjjB6B4X for <dnsop@ietfa.amsl.com>; Fri, 11 Dec 2015 11:57:54 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D191A19FA for <dnsop@ietf.org>; Fri, 11 Dec 2015 11:57:52 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 21A8E284E32; Fri, 11 Dec 2015 19:57:51 +0000 (UTC)
Date: Fri, 11 Dec 2015 19:57:51 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: 'dnsop' <dnsop@ietf.org>
Message-ID: <20151211195750.GR11836@mournblade.imrryr.org>
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com> <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net> <D28EEA44.11EBA%edward.lewis@icann.org> <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/rBkD4QkPzpOYd5kndFAYdAQXA0w>
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 19:57:55 -0000

On Thu, Dec 10, 2015 at 09:56:26PM +0100, Hosnieh Rafiee wrote:

> > Second, from the quick description, I don't quite understand what you want
> > to solve.  Not complaining, but in preparing to ask for a new type, the
> > use case might need to be clearer.
> 
> Authentication and authorization in multi-tenancy environment where it is
> based on certificates and TLS and not giving direct access to resource
> policy that belongs to the owner of infrastructure while at the same time
> giving flexibility to each tenant to delegate all or a part of its resources
> to third party.

This is still much too vague.  Is the goal here to turn DNS into
something akin to "Active Directory"?  Perhaps a better design is
to use DNS primarily for cross-organizational key management (solving
the "introduction" problem), and to leave more fine-grained security
policy storage to dedicated services such as Kerberos, ...  There've
been mutterings of facilitating cross-realm Kerberos via DANE, thus
avoiding the need for manual pairwise shared keys.


> I actually asked in the mailinglist whether their charter is open to having
> the bounding of authentication and authorization there since the purpose
> would be also use DANE. But what I heard (in private message exchanges)
> that they do not want to recharter to consider this.

I was one of the off-list responders.  I still think the scope was
much too broad (not well defined), and that a more narrow definition
would likely suffice, probably just use DANE TLSA to secure the
transport, and do everything else at higher layers (above the DNS).

A requirements draft might be the right starting point, and "aaa"
is much more of a topic for "kitten" than for DANE or DNSOP.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email