IETF Logo Mail Archive

Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)

Daniel Migault <mglt.ietf@gmail.com> Mon, 31 October 2022 13:35 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643B6C1522DA; Mon, 31 Oct 2022 06:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRW5-JHbhCRe; Mon, 31 Oct 2022 06:34:59 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B08EC1522D8; Mon, 31 Oct 2022 06:34:59 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id 63so9721482iov.8; Mon, 31 Oct 2022 06:34:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1KnyczakNh26L9aG4tipS+BSKEXZ1qlB9CjNr1WX9yc=; b=HQO2ov5BYjYHhMHns1LN+IOeLcIZX5ZB/vcuxy+jYZt2p/K6XkSUU894ICAwRfB68e 2+0FWK/IvIvV4IXOsU3R8Pz6lGf2YXf9iic07Mh/pD1DQEiPAWHyU9bjelii4xaSndqW Y6C84jYct1gLbfd0cWC0YQ7NlsHoD5E2ru/NSfgapuvBLfMnSasPedHDdDDRBQ2Qy/Jb +Ts8NuS1AlCpQXGC5kLnwB6cRbI+iWBLzmVdn/4McvUbFLjduETn+f8eBI8S2aboy67E rpUiqMC579jIZ/S3Ma1OLkobNdZb9Fl7k4SvOi/fLuW6yHTg3LoOa/jgzKx1RfV5yMr3 uGjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1KnyczakNh26L9aG4tipS+BSKEXZ1qlB9CjNr1WX9yc=; b=PpPxIJG82JWhVekun2z8w9atBnbPgnONse+9C22WIc78mmNzuAN+oxlTXqZ1f3hwvv eg2qu9Nmu/Lbp/G1OtMFYjB3D72CpWyB+2nyAinm4sRPQ1giXstAP5bxDk7R3Of0Hk82 wEClG5iSUIM6KEd+62F8Vmq8OEHD/c/UXeNlxKaPhzb68H71+bgyxKptjleP3qKwqa+r dXWPrF8P2IqPOjX9e1Z1u5LODTnQCyVtnnO1Y8X9NATMWb+Lyz1m9oRKzNU3UKwKPINC 35UdH7r7kUE1qrNg2hXP/HiF5o6yxZlWNCc5/HHLY5hvU5d39PN3TbDqniLhHpD67Amo 1FFA==
X-Gm-Message-State: ACrzQf1V8pSzebLV1ouuU++jPJpAPMVMfJaPdnTm+I+8JbMRqjO0h5KY iXncEgYdpMfDM9+vAEvh3cF4KcohJqcXveONu6o=
X-Google-Smtp-Source: AMsMyM7bzBz+DjuIaR06BYoNl2ng6CKEvQt4Wt79C36aiGGdsgN67SJ4QOUB2K1PkPFgz7C6lkGyKd45eMfAms1/Cxo=
X-Received: by 2002:a05:6638:2488:b0:375:aa4:885 with SMTP id x8-20020a056638248800b003750aa40885mr7454473jat.160.1667223298420; Mon, 31 Oct 2022 06:34:58 -0700 (PDT)
MIME-Version: 1.0
References: <CADZyTkmhc2W=d13w=rb8DciYuv1S5xG3USuTM9On1Fn=Et5F6w@mail.gmail.com> <28F1B4DB-5062-45BB-A802-045E9EBBB34A@aiven.io> <CADZyTknvpwmO7MZp6WWS=vf1i8HhS1CGtH7D=OGRUy+Pdg=OsQ@mail.gmail.com>
In-Reply-To: <CADZyTknvpwmO7MZp6WWS=vf1i8HhS1CGtH7D=OGRUy+Pdg=OsQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 31 Oct 2022 09:34:47 -0400
Message-ID: <CADZyTkm5GnG+vrfggzgAWOYczgLKb2zNZ+7oMBtx1t3tb6DTwg@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-homenet-naming-architecture-dhc-options@ietf.org, homenet-chairs@ietf.org, homenet@ietf.org, stephen.farrell@cs.tcd.ie
Content-Type: multipart/alternative; boundary="00000000000076b5d405ec54ac31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/bi0zUPcPjPSfvS6P3W2ThPkwoFU>
Subject: Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2022 13:35:03 -0000

Hi Paul,

We implemented the change and used DNS over mutually TLS (DomTLS) to
represent DoT and XoT. We do believe we have address all your concerns for
this draft and your DISCUSS can be lifted. The other document has its
own DISCUSS and I do not believe there is any need to hold a DISCUSS. Of
course, the DISCUSS being raised does not mean no changes can be made.

Yours,
Daniel

On Fri, Oct 28, 2022 at 7:32 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

> I am happy to close this issue with DNS over mTLS.
> Yours,
> Daniel
> On Fri, Oct 28, 2022 at 7:19 PM Paul Wouters <paul.wouters@aiven.io>
> wrote:
>
>> I did see the previous reply and it doesn’t make too much sense to me.
>>
>> You could say “mutually authenticated TLS” or something but I find it a
>> little odd that these two things which are separate are one option.
>>
>
> Perhaps it is better if we resolve the other document DISCUSS first and
>> then see if that helps resolve this DISCUSS.
>>
>> Sent using a virtual keyboard on a phone
>>
>> On Oct 28, 2022, at 17:06, Daniel Migault <mglt.ietf@gmail.com> wrote:
>>
>> 
>> I thought I responded to it, but was not able to find the response...
>> until I realized the response is not inline... but in the main part of the
>> email. I am copying the response here - and take that inline text seems
>> much clearer.
>>
>> The reason we mentioned both RFC7858 and RFC9103 is that the
>> communication between the Homenet Naming Authority (HNA) and the
>> Distribution Manager (DM) involves two different channels. The Control
>> Channel that aims at configuring/managing the Synchronization Channel (i.e.
>> the primary/secondary). The Control Channel uses DNS over TLS RFC7858 while
>> the Synchronization Channel uses DNS Zone transfer over TLS 9103. The two
>> channels always go in pairs. As both are using DNS over TLS we use the
>> mnemonic 'DoT' for the Selected Transport. From what you are saying, it
>> might be clearer to just mention 'TLS' for the Selected Transport as DoT
>> might be really tightened to 7858. If you think this is clearer, I am happy
>> to do so as well as with any name that you think is clearer.
>>
>> Yours,
>> Daniel
>>
>> On Fri, Oct 28, 2022 at 4:17 PM Paul Wouters <paul.wouters@aiven.io>
>> wrote:
>>
>>> Was there a problem with my suggested CURRENT / NEW suggestion ?
>>>
>>> Sent using a virtual keyboard on a phone
>>>
>>> On Oct 28, 2022, at 15:14, Daniel Migault <mglt.ietf@gmail.com> wrote:
>>>
>>> 
>>> Hi Paul,
>>>
>>> I am wondering if there are any remaining concerns left for
>>> the draft-ietf-homenet-naming-architecture-dhc-options document and
>>> anything you would like us to address to lift your discuss.
>>>
>>> Yours,
>>> Daniel
>>>
>>> On Mon, Oct 24, 2022 at 8:49 PM Daniel Migault <mglt.ietf@gmail.com>
>>> wrote:
>>>
>>>> Hi Paul,
>>>>
>>>> Thanks for the follow-up. The reason we mentioned both RFC7858 and
>>>> RFC9103 is that the communication between the Homenet Naming Authority
>>>> (HNA) and the Distribution Manager (DM) involves two different channels.
>>>> The Control Channel that aims at configuring/managing the Synchronization
>>>> Channel (i.e. the primary/secondary). The Control Channel uses DNS over TLS
>>>> RFC7858 while the Synchronization Channel uses DNS Zone transfer over TLS
>>>> 9103. The two channels always go in pairs. As both are using DNS over TLS
>>>> we use the mnemonic 'DoT' for the Selected Transport. From what you are
>>>> saying, it might be clearer to just mention 'TLS' for the Selected
>>>> Transport as DoT might be really tightened to 7858. If you think this is
>>>> clearer, I am happy to do so as well as with any name that you think is
>>>> clearer.
>>>>
>>>> Yours,
>>>> Daniel
>>>>
>>>> On Mon, Oct 24, 2022 at 7:20 PM Paul Wouters <paul.wouters@aiven.io>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.ietf@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> While TLS gives you privacy,
>>>>>>
>>>>>>> the DNS Update cannot be done with only TLS (as far as I understand
>>>>>>>>> it).
>>>>>>>>
>>>>>>>> please develop, but just in case, we do not use dns update to
>>>>>>>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT.
>>>>>>>>
>>>>>>>
>>>>> This to me was not clear and a missed reference by me. While you name
>>>>> RFC9103, the text states:
>>>>>
>>>>> DNS over TLS: indicates the support of DNS over TLS as described in
>>>>>    [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>].
>>>>>
>>>>> I should have looked more closely at the references, and I would have
>>>>> realized 9103 is about DNS XFR over TLS. That document indeed explains
>>>>> that XoT uses mutually authenticated TLS which provides the
>>>>> authentication for the XFR streams.
>>>>>
>>>>> My suggestion:
>>>>>
>>>>> Current:
>>>>>
>>>>> DNS over TLS: indicates the support of DNS over TLS as described in
>>>>>    [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>].
>>>>>
>>>>> New:
>>>>>
>>>>> DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer
>>>>> over TLS as described in [RFC9103]
>>>>>
>>>>>
>>>>
>>>>> The reference to RFC7858 is misleading - it only deals with stub to
>>>>> recursive.
>>>>>
>>>>> If you think stub to recursive is in scope, it might be better to use
>>>>> two DHCP options as these two things
>>>>> seem to be very separate protocols (that just both happen to use DNS
>>>>> and TLS)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>> So you are going against the RFC 5936 SHOULD.
>>>>>>>
>>>>>>> I even had to look this up because I didn't know you could do an
>>>>>>> AXFR as a secondary
>>>>>>> from a primary without DNS level authentication. Apparently you can,
>>>>>>> but you SHOULD not.
>>>>>>>
>>>>>>> That is what we do. TLS provides enough security to replace TSIG /
>>>>>> SIG(0).
>>>>>>
>>>>>
>>>>>
>>>>> Reading 9103 made that clear to me now, but the text in the document
>>>>> did not. Perhaps that can be stated more clearly ?
>>>>>
>>>>> Paul
>>>>>
>>>>
>>>>
>>>> --
>>>> Daniel Migault
>>>> Ericsson
>>>>
>>>
>>>
>>> --
>>> Daniel Migault
>>> Ericsson
>>>
>>>
>>
>> --
>> Daniel Migault
>> Ericsson
>>
>>
>
> --
> Daniel Migault
> Ericsson
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email