Re: dane-openpgp 2nd LC resolution

Mark Andrews <marka@isc.org> Tue, 15 March 2016 02:39 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F2B12D883 for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 19:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4BMTrYh9Glx for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 19:39:27 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345BF12D85A for <ietf@ietf.org>; Mon, 14 Mar 2016 19:39:27 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 849543493A5; Tue, 15 Mar 2016 02:39:24 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7D9F8160045; Tue, 15 Mar 2016 02:39:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6CA3F160074; Tue, 15 Mar 2016 02:39:24 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id WhG5goD6w4gS; Tue, 15 Mar 2016 02:39:24 +0000 (UTC)
Received: from rock.dv.isc.org (c110-21-49-25.carlnfd1.nsw.optusnet.com.au [110.21.49.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 0F6C8160045; Tue, 15 Mar 2016 02:39:24 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 0CF45446E311; Tue, 15 Mar 2016 13:39:20 +1100 (EST)
To: Doug Barton <dougb@dougbarton.us>
From: Mark Andrews <marka@isc.org>
References: <56DC484F.7010607@cs.tcd.ie> <56E636FD.9050902@dougbarton.us> <alpine.LFD.2.20.1603141916360.830@bofh.nohats.ca> <56E768E6.5090905@dougbarton.us>
Subject: Re: dane-openpgp 2nd LC resolution
In-reply-to: Your message of "Mon, 14 Mar 2016 18:44:06 -0700." <56E768E6.5090905@dougbarton.us>
Date: Tue, 15 Mar 2016 13:39:19 +1100
Message-Id: <20160315023920.0CF45446E311@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Ia7ffRyP17W8hq_lUHq20ucfHpk>
Cc: Paul Wouters <paul@nohats.ca>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 02:39:38 -0000

In message <56E768E6.5090905@dougbarton.us>us>, Doug Barton writes:
> On 03/14/2016 04:18 PM, Paul Wouters wrote:
> > Yes, you are about 1.5 years late. And your arguments are (un)fortunately
> > not new arguments. Since the archive on this draft is rather huge, I can
> > understand that you missed part of this discussion. So for completeness
> > sake, I will answer your questions again.
> 
> Thank you for your patience in explaining your reasoning, and again, I'm 
> sorry for coming late to the party. And thanks as well for confirming 
> that my memory is correct ... at one time I did hear that this topic was 
> going in the direction of signatures rather than certs. Unfortunate that 
> I didn't follow it closer.
> 
> Regarding what you said and what your goals are, I think that we are 
> pretty far apart. I will send a detailed response to your message on the 
> DANE list soon. In all likelihood I will also create a new I-D with my 
> ideas specified in more detail. Perhaps what is needed is more than one 
> experiment. :)
> 
> In regards to the current last call, while your explanations do help to 
> alleviate a few of my concerns, in large part I am still not 
> enthusiastic about this version of the draft proceeding.
> 
> In particular I think the concern about these RRs being used for DDOS 
> amplification remains. There is no mechanism in place currently in any 
> name server software that I am aware of to limit responses to queries in 
> the manner you describe (only send answers if the query comes over TCP 
> or with DNS-Cookies). Further, I don't see that happening any time soon.

You just limit response sizes in general.  BIND 9.11 has
"nocookie-udp-size <integer>;" which sets a EDNS response size limit
for queries w/o a valid server cookie.  If the response doesn't fit
you do the normal fallback to TCP.  With EDNS both sides can set
limits on what they are willing to send/receive.

Amplification controls should be independent of qname and qtype.

> Close behind that concern, the larger IETF community (or at least some 
> very vocal segments of it) have serious concerns about this type of 
> opportunistic encryption happening at all, or in my case, without user 
> input. They (and to some extent I) remain unconvinced that your 
> assertion that this type of opportunistic encryption is always better 
> than the current state. Personally, I need to think more about that, but 
> at least in the early stages of an experiment in tying PGP keys to DNS 
> RRs, I'm definitely opposed.
> 
> FWIW,
> 
> Doug
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org