Hi, DPRIVE folks, I have been working on the ADOT signaling and TLS validation problem.
This draft relies on a couple of short drafts I have submitted in DNSOP, for the "unsigned NS record" and "unsigned glue records" problems. There are a couple of mostly superficial additional RRTYPEs to support this (a SVCB binding, and a TLSA aliasing), plus some EDNS options to reduce round trip times. I've included numerous examples, complete except for literal RDATA from the examples for a few record types. (I had said a fair while back, around the last IETF, that I would be submitting something. I had some time off for vacation, and a short COVID breakthrough, but finally got the drafts submitted.) I think the scaling factors and round-trip times speak for themselves. The methods are equally suitable for small or large DNS operators, and provide full authentication with downgrade resistance. It is not dependent on WebPKI, requires DNSSEC usage on the DNS operator's infrastructure zone (where the addresses, signaling, and TLSA data are served) but is otherwise very light on changes required beyond new RRTYPE support, and even then involves new instances of existing types. I think it's fairly straightforward, but it is difficult to tell without getting feedback, so please let me know what you think. (The source is markdown, processed by mmark, and managed on github. Anyone interested in contributing or commenting there, please contact me.) Brian Dickson ---------- Forwarded message --------- From: <[email protected]> Date: Fri, Sep 17, 2021 at 8:27 PM Subject: New Version Notification for draft-dickson-dprive-adot-auth-02.txt To: Brian Dickson <[email protected]> A new version of I-D, draft-dickson-dprive-adot-auth-02.txt has been successfully submitted by Brian Dickson and posted to the IETF repository. Name: draft-dickson-dprive-adot-auth Revision: 02 Title: Authenticated DNS over TLS to Authoritative Servers Document date: 2021-09-17 Group: Individual Submission Pages: 17 URL: https://www.ietf.org/archive/id/draft-dickson-dprive-adot-auth-02.txt Status: https://datatracker.ietf.org/doc/draft-dickson-dprive-adot-auth/ Html: https://www.ietf.org/archive/id/draft-dickson-dprive-adot-auth-02.html Htmlized: https://datatracker.ietf.org/doc/html/draft-dickson-dprive-adot-auth Diff: https://www.ietf.org/rfcdiff?url2=draft-dickson-dprive-adot-auth-02 Abstract: This Internet Draft proposes a mechanism for DNS resolvers to discover support for TLS transport to authoritative DNS servers, to validate this indication of support, and to authenticate the TLS certificates involved. This requires that the name server _names_ are in a DNSSEC signed zone. This also requires that the delegation of the zone served is protected by [I-D.dickson-dnsop-ds-hack], since the NS names are the keys used for discovery of TLS transport support. Additional recommendations relate to use of wildcard records for efficiency and scalability, and new EDNS options to improve round trips and signaling between clients and resolvers. The IETF Secretariat
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
