Re: [DNSOP] SIG(0) useful (and used?)

Tony Finch <dot@dotat.at> Tue, 19 June 2018 21:04 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BB2130F2B for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 14:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi40BuPvfWgC for <dnsop@ietfa.amsl.com>; Tue, 19 Jun 2018 14:04:04 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C579130F61 for <dnsop@ietf.org>; Tue, 19 Jun 2018 14:04:04 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:40154) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fVNnG-0006Yo-eH (Exim 4.91) (return-path <dot@dotat.at>); Tue, 19 Jun 2018 22:04:02 +0100
Date: Tue, 19 Jun 2018 22:04:01 +0100
From: Tony Finch <dot@dotat.at>
To: =?UTF-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@isc.org>
cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org>
Message-ID: <alpine.DEB.2.11.1806192154190.916@grey.csi.cam.ac.uk>
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1870870841-1784780845-1529442242=:916"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zsh72o3yka9hxlS6cJ2oGv2HAgI>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 21:04:07 -0000

Ondřej Surý <ondrej@isc.org> wrote:
>
> Do people think the SIG(0) is something that we should keep in DNS and
> it will be used in the future or it is a good candidate for throwing off
> the boat?

SIG(0) is the only DNS feature that (could) allow unauthenticated client
access to an authenticated server, which would allow

* secure inteerface to resolver (maybe with SIG(0) + TKEY -> TSIG,
  but now  probably better to use TLS or DoH)

* secure stealth secondaries (maybe TLS support would be better)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
an equitable and peaceful international order