Sara Dickinson <[email protected]> wrote:
> > On 13 Jul 2020, at 23:35, Tony Finch <[email protected]> wrote:
> >
> > 7 authentication
>
> Belated responses on this topic!
And a few more thoughts from me, pruned for length ...
> Well the goal was to compare and contrast the set of existing control
> methods - they do all have different properties and we wanted to explain
> where TLS fits in with these and be clear it can’t directly replace
> them…
>
> Perhaps authentication is too broad a term for this whole set of
> mechanisms. Maybe the split here should be transport independent
> verification mechanisms vs TLS…?
What I would expect to get from reading this section is how TSIG and X.509
authentication interact (and maybe SIG(0) too), i.e. what the implications
are for configuring server ACLs and client credentials.
ZONEMD doesn't fit in that context, I think.
> We use a v. broad definition of ‘data auth’: “Authentication that the
> DNS message data is signed by the party with whom credentials were
> shared”, but given your comment I believe better term would be something
> like ‘data origin auth’ or ’transfer entity auth'.
Right, that's the distinction I was making. But I think this draft only
needs to care about the peer authentication because data authentication is
unaffected by TLS. (And doesn't affect privacy.)
> TSIG gives entity authentication but not guaranteed confidentiality. The
> specific threat here is that in principle without authentication a MitM
> attack is possible on the TLS connection….. that attack can see not only
> the zone transfer requests but more importantly the responses, which is
> what we are trying to avoid.
Ah, I understand now, thanks. Given that I think you are right to leave
out unauthenticated-but-required TLS as an option since it doesn't make
much sense. I have not read RFC 8310 properly yet, but if it doesn't
discuss why this middle option doesn't provide much extra privacy, then
perhaps this draft should have a few words.
Otherwise, it all sounds good. Thanks for working on this draft!
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
South Utsire: Northwest 4 or 5, becoming variable 3, then southeast 5 or 6
later. Slight or moderate. Fair. Good.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
