Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications
Paul Wouters <paul.wouters@aiven.io> Tue, 12 April 2022 12:28 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0830A3A1D10 for <dnsop@ietfa.amsl.com>; Tue, 12 Apr 2022 05:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bd_m5OIzOBwp for <dnsop@ietfa.amsl.com>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6689B3A1D0D for <dnsop@ietf.org>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id g20so22124932edw.6 for <dnsop@ietf.org>; Tue, 12 Apr 2022 05:28:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=ytyBA7JmgTaTCBmE9sqzngRZfzByDkGgLgpSZNRVU3Q=; b=C7vYX4zQrOnVgctuvUuZcPLFQvw1hnBT3CJm6bv98RYcUfLmL6mZQtYqV3SSJWVprm ulqwOONDmvz/h83QoG4oz63n9eBtXq6NIaAdD1lpmtmycArVujPJycgBO691326Y132S q7H+8/bNsCDHeiBzgPmkklgHC+/qSODkqv+Mc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=ytyBA7JmgTaTCBmE9sqzngRZfzByDkGgLgpSZNRVU3Q=; b=hUf7mqYF+C9i7s0t0VBV0c0I2YsBhcdE2D+hgXXLHFFbpBXLkQeKMRqSc6/94Ckx0E Z1qUbM0VLl5qjwD9JjmSWjUI+BHERAJKjcdYZNGLNM7YXpmYyhrZjaVrwELgQRcpeApC uVg/J/hkVEBXl25pYy5poC2yi2IXGV5xKrje363od8CW4w/E5jFpeuAd75TymUX+5BBe k5GCQKHUzMyuswItuXCrbiZegDLm4unmAaboXasRq3NPV28083/mgt0CzOqLaGsdYqhW 6P5rDM9dHX5rMU79MJ+u7q8fGSWy2CmZUoyJUGEfq7Qnpwb1JhGm53EtIku1KkT5MAPm UccQ==
X-Gm-Message-State: AOAM53312vpp4TFVtbMXWFznrQWvNnYZKvZWeOXfRqYF4cqIU2ryeyoj 5d3B0isXCEJTTihkVUQSQThmBg==
X-Google-Smtp-Source: ABdhPJxjJzlrEDh0XH0qvLHOtyiBwqb0cmwK3+MVGx7CuT42vnbRAm/+SqhpPPooQJxUau5ksTJIvQ==
X-Received: by 2002:aa7:cd18:0:b0:41d:8df8:86e5 with SMTP id b24-20020aa7cd18000000b0041d8df886e5mr4046113edw.248.1649766489430; Tue, 12 Apr 2022 05:28:09 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id c5-20020a170906d18500b006ce371f09d4sm12968452ejz.57.2022.04.12.05.28.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 05:28:08 -0700 (PDT)
Date: Tue, 12 Apr 2022 08:28:06 -0400
From: Paul Wouters <paul.wouters@aiven.io>
To: Eugène Adell <eugene.adell@gmail.com>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <CALY=zUf2OX-QRtULBv4_N_J6Cuik8LxVh1rSQ1mnbFiNmTk+oQ@mail.gmail.com>
Message-ID: <fcb934cc-581c-c54f-f32b-3dd44aee729f@nohats.ca>
References: <CALY=zUfDcE-wQ3kwvSCTy+aWVAFs-ymdiFLF5xgYp2tOmhOt-Q@mail.gmail.com> <BC09F131-E098-45DF-8213-10732593A508@isc.org> <355263CA-10A6-4AED-8622-8336A94F069A@isc.org> <CALY=zUf2OX-QRtULBv4_N_J6Cuik8LxVh1rSQ1mnbFiNmTk+oQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-1831689432-1649766488=:1240664"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sFrc1ZxJvn0012cehgtBlh0X5dk>
Subject: Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 12:28:16 -0000
On Tue, 12 Apr 2022, Eugène Adell wrote: > Beyond the technical aspects, there are several different persons to > think about in our case : the DNS administrator obviously, the > decision maker buying (or not) a secured online service, and the CISO. Why should this information exchange happen via DNS? > It looks more simple to have dedicated RR types to let them > communicate together It seems a REST API using some .well-known HTTPS link seems a better fit ? > After your comments and correcting a typo, it gives > ftp.example.com_21.example.net > Such domain name for sure doesn't exist and uses the underscore > character as separator. It has to be considered as storing data > establishing a kind of contract between the two organizations > involved. It should have a dot in between, eg ftp.example.com._21.example.net. Then, the underscore name should be uniquely identifying to split it from other DNS records. eg _crs or something. Have a look at other documents at https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names > 5. > I give some explanation in the answer 1 but I will rephrase. The CRS > record can be used before subscribing to a service (typically any > storage/log system/SIEM) as an indicator that this service provides > the kind of authorization process described in the document. I still wonder if DNS is really the right fit for this. > This document specifies the Client Roaming Control (CRC) DNS Resource > Record allowing an organization to better control the access to > third-party applications over Internet. The applications > implementing an authorization mechanism to honor the CRC, publish on > their side the Client Roaming Support (CRS) Resource Record to inform > of this support. There is a big overlap here with MUD, see https://datatracker.ietf.org/doc/html/rfc8520 It also seems the source of authorization depends on the DNS name, but how do you ensure a device would not be lying about their name? Would this only work on zones with static DNS entries? If so, how would that scale? What would be the mechanism to authorize the publishing of CRS/CRC records, and why can that provisioning protocol not also be used to query/signal this data? Paul
- [DNSOP] introducing a couple of RRTypes (CRC/CRS)… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Wessels, Duane
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Mark Andrews
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Mark Andrews
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Paul Wouters
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Paul Wouters
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… A. Schulze
- Re: [DNSOP] introducing a couple of RRTypes (CRC/… Eugène Adell