Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
Paul Wouters <paul@nohats.ca> Mon, 17 July 2023 12:20 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C609C15153E for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 05:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.395
X-Spam-Level:
X-Spam-Status: No, score=-4.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YGS6n9X_NZO for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 05:19:55 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08E2FC15153C for <dnsop@ietf.org>; Mon, 17 Jul 2023 05:19:54 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4R4LkJ4Rl2z3Ch for <dnsop@ietf.org>; Mon, 17 Jul 2023 14:19:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1689596392; bh=kB3swklcT6fd9Lu13pyYH6AXspSNBMqHJGvjPYwcKlE=; h=From:Subject:Date:References:In-Reply-To:To; b=JW5MdMxV5S9JTMy6DJqqXCip8/eir+0yauaMRe408Tn6Q0K/n+bkLTAVF1mxaDprR YQ1gzc1Y5MBhrcXP5Poskf0f64W2GDoP2pL6klRK9EotJj9WGZtBph+HrI63CJNuPB hrbl7tBgxVxQE2zUqMSPKj5GoLcjFG2WPl2B2kMw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id t4RKGtpnkFsY for <dnsop@ietf.org>; Mon, 17 Jul 2023 14:19:51 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Mon, 17 Jul 2023 14:19:51 +0200 (CEST)
Received: from smtpclient.apple (unknown [193.110.157.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 69BA8102A929 for <dnsop@ietf.org>; Mon, 17 Jul 2023 08:19:50 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Mon, 17 Jul 2023 08:19:39 -0400
Message-Id: <58626858-DB23-44FB-8EF6-C09FEBC41DAB@nohats.ca>
References: <ZLRKqMxGIm5sDM1G@straasha.imrryr.org>
In-Reply-To: <ZLRKqMxGIm5sDM1G@straasha.imrryr.org>
To: dnsop@ietf.org
X-Mailer: iPhone Mail (20C65)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zXUNNe6G2uInAiMYCRFO5XzyGzc>
Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2023 12:20:00 -0000
On Jul 16, 2023, at 15:53, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > I should perhaps have stated the technical criteria on which I consider > the proposal non-viable. To whit: > > - The proposed protocol lacks all downgrade resistance. > - Without a signed delegation from the parent, the existence of the > zone apex CERT MRs and associated RRSIGs is trivially denied by > an on-path attacker. Indeed, the lack of a chain of trust via DS records means the CERT and RRSIG records can just be removed from the answers. Encoding the presence somehow in the NS names (aka dnscurve style) also doesn’t help because such an approach requires authenticated connections from the root down and doesn’t work through dns caches. The exact reason why dnscurve was non-viable. And finally as with proposals to replace ipv6 with something better, it would take years for the software to be written and deployed so it questionable whether fragmenting the dns world into two different methods to accomplish the same thing would speed up the security of DNS. Better focus on removing roadblocks that causes people to postpone DNSSEC deployments. Paul
- Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on … Viktor Dukhovni
- [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF… Viktor Dukhovni
- Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on … Mark Andrews
- Re: [DNSOP] [Ext] draft-dnsop-dnssec-extension-pk… Paul Hoffman
- Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on … Paul Wouters