On Tue, 19 May 2020, Peter van Dijk wrote:
The draft is managed on GitHub in .md format at https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin
This is ..... interesting. We first added the KEY RRTYPE in the 1990's to allow generic public keys in DNS. Then the DNS (and CA) people got upset at the KEY record being used for something else than securing DNS. So KEY was obsoleted for DNSKEY that signified it is for DNSSEC only. This draft now tries to shoehorn a TLS key into the DNSKEY record. A much cleaner solution would be to use a proper TLSA record. If you want to signal securely within DNSSEC that encrypted DNS is available, use a DNSKEY flag on the existing DNSKEYs to signal that (similar to the DELEGATION_ONLY flag). You only need 1 bit and TLSA records - which are port specific - can be used to signify presence of DoT or DoH. Or if you want to support both on port 443 for middleware circumvention, you can use _dot and _doh prefixed (eg _443._dot.nohats.ca IN TLSA <blob> The TLSA records can also be of different types, so you can pin the TLSA record to a pubkey, certificate or specific CA. This would allow the DoH or DoT maintainer to change/update their keys witout needing to update or have access to the DNSSEC signer to update the DNS. Let's not create "pseudo DNS records". Paul
Looking forward to your comments, Peter, Manu & Robin -------- Forwarded Message -------- From: [email protected] To: Peter van Dijk <[email protected]>, Emmanuel Bretelle < [email protected]>, Robin Geuze <[email protected]> Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds- dot-signal-and-pin-00.txt Date: Tue, 19 May 2020 02:18:23 -0700 A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt has been successfully submitted by Peter van Dijk and posted to the IETF repository. Name: draft-vandijk-dprive-ds-dot-signal-and-pin Revision: 00 Title: Signalling Authoritative DoT support in DS records, with key pinning Document date: 2020-05-19 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/internet-drafts/draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt Status: https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ Htmlized: https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-vandijk-dprive-ds-dot-signal-and-pin Abstract: This document specifies a way to signal the usage of DoT, and the pinned keys for that DoT usage, in authoritative servers. This signal lives on the parent side of delegations, in DS records. To ensure easy deployment, the signal is defined in terms of (C)DNSKEY. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
