I do agree that given the structure of the
DNS and the existing mechanisms in place -
Paul W mentioned the DNS is a PKI - the WG
should authenticate the DNS server.
It is unclear to me what advantages
opportunistic security provides as well as
how it presents a starting point to a fully
secured
On Mon, Feb 15, 2021 at 3:23 PM Paul Wouters wrote:
> On Mon, 15 Feb 2021, Stephen Farrell wrote:
>
> >> - We invent some mechanism that allows you to specify in an NS record
> that
> >> the server takes TLS (as a hacky example, "servers have to be named
> >> .example.com").
> >
> > Wasn't
On Mon, Feb 15, 2021 at 1:20 PM Peter van Dijk
wrote:
> On Thu, 2021-02-11 at 13:54 -0500, Tim Wicinski wrote:
>
>
> Thanks Sara
>
> Folks should take a look at the changes, and those who raised issues can
> ensure
> these updates have addressed everything.
>
>
> This update works for me.
On Mon, 15 Feb 2021, Stephen Farrell wrote:
- We invent some mechanism that allows you to specify in an NS record that
the server takes TLS (as a hacky example, "servers have to be named
.example.com").
Wasn't exactly that proposed but shot down already (for
DNS, not crypto, reasons)?
On Mon, Feb 15, 2021 at 3:15 PM Stephen Farrell
wrote:
>
>
> On 15/02/2021 23:05, Eric Rescorla wrote:
> > Sure, I can believe that. I'm not any kind of DNS expert, but it's hard
> to
> > believe we can't invent*some* signal that you use to ask whoever served
> > you the NS records.
>
> Yep. I
On 15/02/2021 23:05, Eric Rescorla wrote:
Sure, I can believe that. I'm not any kind of DNS expert, but it's hard to
believe we can't invent*some* signal that you use to ask whoever served
you the NS records.
Yep. I think someone had a presentation a while back about
how all the approaches
On Mon, Feb 15, 2021 at 2:59 PM Paul Hoffman wrote:
> On Feb 15, 2021, at 2:49 PM, Eric Rescorla wrote:
> > The reason we have WGs is to work out such matters in detail, no? And in
> particular, I think the WG should try to figure out the problem space
> before designing.
>
> Yes, please.
>
> >
On Mon, Feb 15, 2021 at 3:04 PM Stephen Farrell
wrote:
>
>
> On 15/02/2021 22:58, Eric Rescorla wrote:
> > I don't recall. My sense was that people didn't like it being WebPKI
> rather
> > than DNSSEC, but maybe there's some more fatal reason? If so, I'd
> certainly
> > appreciate a link to that
On 15/02/2021 22:58, Eric Rescorla wrote:
I don't recall. My sense was that people didn't like it being WebPKI rather
than DNSSEC, but maybe there's some more fatal reason? If so, I'd certainly
appreciate a link to that shooting down.
Forget, sorry. Can look tomorrow or maybe someone'll beat
On Feb 15, 2021, at 2:49 PM, Eric Rescorla wrote:
> The reason we have WGs is to work out such matters in detail, no? And in
> particular, I think the WG should try to figure out the problem space before
> designing.
Yes, please.
> However, it seems like there's a relatively obvious strawman
On Mon, Feb 15, 2021 at 2:57 PM Stephen Farrell
wrote:
>
> Hiya,
>
> On 15/02/2021 22:49, Eric Rescorla wrote:
> > On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell <
> stephen.farr...@cs.tcd.ie>
> > wrote:
> >
> >>
> >> Hiya,
> >>
> >> On 15/02/2021 22:31, Eric Rescorla wrote:
> >>> This doesn't
Hiya,
On 15/02/2021 22:49, Eric Rescorla wrote:
On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell
wrote:
Hiya,
On 15/02/2021 22:31, Eric Rescorla wrote:
This doesn't sound like a very good idea to me. IMO we should only
specify
a protocol that authenticates the server.
Fair enough that
On Feb 15, 2021, at 2:36 PM, Stephen Farrell wrote:
>
>
> Hiya,
>
> On 15/02/2021 22:24, Paul Hoffman wrote:
>> Does this sound like a good approach going forward.
>
> Not to me sorry;-(
>
> A. I don't understand the proposal.
Fair enough, because I didn't propose one yet, just asking the
On Mon, Feb 15, 2021 at 2:36 PM Paul Hoffman wrote:
> On Feb 15, 2021, at 2:31 PM, Eric Rescorla wrote:
> > The reason is straightforward: if you do not provide authentication for
> the server, then you do not have confidentiality in the face of an active
> attacker. I'm pretty sure I've said
On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell
wrote:
>
> Hiya,
>
> On 15/02/2021 22:31, Eric Rescorla wrote:
> > This doesn't sound like a very good idea to me. IMO we should only
> specify
> > a protocol that authenticates the server.
>
> Fair enough that that's your preference. How's that
Hiya,
On 15/02/2021 22:31, Eric Rescorla wrote:
This doesn't sound like a very good idea to me. IMO we should only specify
a protocol that authenticates the server.
Fair enough that that's your preference. How's that gonna
work and be deployable though?
Ta,
S.
Hiya,
On 15/02/2021 22:24, Paul Hoffman wrote:
Does this sound like a good approach going forward.
Not to me sorry;-(
A. I don't understand the proposal.
B. I want an oppo protocol to be a stepping stone to
an authenticated one. There must be some changes to
tale that last step of course,
On Feb 15, 2021, at 2:31 PM, Eric Rescorla wrote:
> The reason is straightforward: if you do not provide authentication for the
> server, then you do not have confidentiality in the face of an active
> attacker. I'm pretty sure I've said this before, so I'm surprised at the
> claim that "no
On Mon, Feb 15, 2021 at 2:25 PM Paul Hoffman wrote:
> Greetings again. One of the issues that seems to most bother people who
> don't like the idea of opportunistic ADoT(Q) is the handwaviness of "but
> authenticate if you can". That comes from RFC 7435, which is the
> informational RFC that
Greetings again. One of the issues that seems to most bother people who don't
like the idea of opportunistic ADoT(Q) is the handwaviness of "but authenticate
if you can". That comes from RFC 7435, which is the informational RFC that
defines opportunistic security (OS). To quote from section 1.2
On Thu, 2021-02-11 at 13:54 -0500, Tim Wicinski wrote:
> Thanks Sara
>
> Folks should take a look at the changes, and those who raised issues can
> ensure
> these updates have addressed everything.
This update works for me. Thanks!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV -
Hi all,
In the name of transparency, I just want to let the WG know that
there has been an objection raised by several participants over the
declaration of consensus to adopt this draft. Once we work through the
process, I will follow-up with further details.
Regards,
Brian
On 2/13/21 9:27
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DNS PRIVate Exchange WG of the IETF.
Title : Recursive to Authoritative DNS with Opportunistic
Encryption
Authors : Paul Hoffman
23 matches
Mail list logo