On 19. 05. 20 11:24, Peter van Dijk wrote: > Hello DNS privacy people, > > please find below all details about our proposal for enabling DoT from > resolver to authoritative. > > This work is based on Manu Bretelle's presentation in Prague over a > year ago, after which we spent a lot of time figuring out how to > squeeze the DoT signal and key pin into the constraints of DNSKEY/DS > records. > > We have some running code (linked in the draft) to show feasibility of > the approach. > > The draft is managed on GitHub in .md format at > https://github.com/PowerDNS/parent-signals-dot/tree/master/draft-vandijk-dprive-ds-dot-signal-and-pin
I support this. It is hacky but has very nice properties which are not explicitly described in the document: - It does not require any extra round-trips to determine if DoT is supported on the auth side. - Is downgrade-resistant. - Potentially closes all cleartext leaks (if parent domains are also secured). - DS "compatibility" makes it deployable in practice. - CDS/CDNSKEY makes management from auth side easier. Personally I think any proposal which requires major protocol changes (e.g. new parent-side record type) will take many years to get deployed, so this seems like feasible way forward. Petr Špaček @ CZ.NIC > > Looking forward to your comments, > Peter, Manu & Robin > > -------- Forwarded Message -------- > From: [email protected] > To: Peter van Dijk <[email protected]>, Emmanuel Bretelle < > [email protected]>, Robin Geuze <[email protected]> > Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds- > dot-signal-and-pin-00.txt > Date: Tue, 19 May 2020 02:18:23 -0700 > > A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt > has been successfully submitted by Peter van Dijk and posted to the > IETF repository. > > Name: draft-vandijk-dprive-ds-dot-signal-and-pin > Revision: 00 > Title: Signalling Authoritative DoT support in DS records, > with key pinning > Document date: 2020-05-19 > Group: Individual Submission > Pages: 10 > URL: > https://www.ietf.org/internet-drafts/draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt > Status: > https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ > Htmlized: > https://tools.ietf.org/html/draft-vandijk-dprive-ds-dot-signal-and-pin-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-vandijk-dprive-ds-dot-signal-and-pin > > > Abstract: > This document specifies a way to signal the usage of DoT, and the > pinned keys for that DoT usage, in authoritative servers. This > signal lives on the parent side of delegations, in DS records. To > ensure easy deployment, the signal is defined in terms of (C)DNSKEY. > > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
