Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Eric Rescorla <ekr@rtfm.com> Wed, 17 July 2019 17:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7881207E4 for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 10:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbfmrG80XI9t for <add@ietfa.amsl.com>; Wed, 17 Jul 2019 10:24:52 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 197DA12079D for <add@ietf.org>; Wed, 17 Jul 2019 10:24:52 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id x25so24459054ljh.2 for <add@ietf.org>; Wed, 17 Jul 2019 10:24:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YN+m5XyhgsbqqlHs+tj0cbEy5sBHlokfdQo75dnAwyE=; b=xI92f7fbtqo8O9/8zFTPu4j+V1CJkY/GDtMD9Ivtooc7LqlBOjzr8kcYuz1h7CuMcH RkBduAaHSMewWsSrXzKWML+MMx/qOMNfQZ+GayCM5lw7yXFIWyv6bKrr938xMr+gvWtH JDeFrHJvu0lyBpgFLWcEyKmxzE+4Apm1r8wOTauQPu26Kh5wp+FTmEoEmWI/p3tk108f p4CIa4hf8Yypt1Ih+FV5AYXE7XehkDmtuTtPhKf96WwLOcNL8PWYo5nURKRUg34KIkFx v/49GzYa3/Dr6q5RWF72lvOxWDVNUMLfJtzkCmgQ3p4eivD6lm0BJsG8b93IJLdlJUoH Z1DA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YN+m5XyhgsbqqlHs+tj0cbEy5sBHlokfdQo75dnAwyE=; b=CctjzaECPLe5+y1fAv/YgpobGoIS/9tNlwkI2TVv+t2+wkSySyWPoPRHShaUJy/qHz tiM6zVaRy2rA3AqjLSbn47sgr+DZn3a8T0u2XbcTsGG+/me3Uzu2PJKfsrMHsPuHAATr fmBqVwn3og6sBmhVaKAASxEgJJXaVSJYfv2nPpFXeGrEBcT2vi56IQjb9ze/EGA6INgJ lDgSUefij1vUvLgI/7L7o4mLnHP0yQZ+TdM+F9jpLFdl6CZqQ7FzObV+1qvvHabneTWH bHtPjr6GYTrBDm42ILA4QJU7Z9xJNimWXhUrdaUq4puxKmhoNpNcuJBLxdg4UDR/FGw2 5mLQ==
X-Gm-Message-State: APjAAAXH7dWTYlDC4IA5u4P6h+GueH95+2T8aPx0n+REGHl6jS4ejigK Nc6IjEL5P7HepAVaixLqLxI0tJdFGE7T2f0TvpI=
X-Google-Smtp-Source: APXvYqwnKqButlVr0VuJ/Uev/nxoLqqTNuBNAnRJ9KuaVxYMOiEIWW/RfyMqccJsPpOUvTPC99Os4231q7piZO8A9h0=
X-Received: by 2002:a2e:96d0:: with SMTP id d16mr7751987ljj.14.1563384290434; Wed, 17 Jul 2019 10:24:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <CABcZeBMxQgDZJs3BQkb7xiN6Gm=joBqLmTnHCO+TMdKQyUepOg@mail.gmail.com> <CAChr6SxN+72tY6_6tw-TeBWeYh4XQr-VRip_2LQh3Mnsk85GPw@mail.gmail.com> <CABcZeBPNevTZDXXXuRS87+YpZ8xY+Y79inW2x0AmPL2Hd9xNmQ@mail.gmail.com> <CAChr6SwYv66zuxCQv0FOjuqqsLxmVL++bK37x9G1S24XUKVgYg@mail.gmail.com> <CABcZeBOXfR0a+j0KF0FZPt=9ahNE0JsqO4=tg6Dr80TcBi895A@mail.gmail.com> <CAFpG3gfSSx9n4TyXkb0=q4F976B_3ZxwLeL4SrK1CVFnvPS4Nw@mail.gmail.com>
In-Reply-To: <CAFpG3gfSSx9n4TyXkb0=q4F976B_3ZxwLeL4SrK1CVFnvPS4Nw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 17 Jul 2019 10:24:11 -0700
Message-ID: <CABcZeBNw=4425r1r+d0mrOuEvXKHXswktAmdE8_uFRa3zNE6vg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Rob Sayre <sayrer@gmail.com>, ADD Mailing list <add@ietf.org>, "Dixon, Hugh" <Hugh.Dixon@sky.uk>, Alec Muffett <alec.muffett@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000477541058de3c54b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/3VobgsJ8uInSiA2O5LJY0QusdhM>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 17:24:55 -0000
On Wed, Jul 17, 2019 at 7:05 AM tirumal reddy <kondtir@gmail.com> wrote: > > On Wed, 17 Jul 2019 at 01:41, Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Tue, Jul 16, 2019 at 1:02 PM Rob Sayre <sayrer@gmail.com> wrote: >> >>> >>> >>> On Tue, Jul 16, 2019 at 12:53 PM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>>> >>>> Taking a TRR-style system out of the equation for a moment. Suppose >>>> that what I want is for all devices on my network to use a filtering >>>> resolver. I don't expect any evasion because they're all my devices, it's >>>> just a matter of convenience to centrally configure it. So what I do here >>>> is I configure my DHCP server to provide the IP address of that resolver. >>>> Now, those devices do unencrypted DNS because that's what everyone does. >>>> Now, suppose that resolver starts offering DoT. How do my devices learn >>>> that information? The resolver could tell them over DNS but then we have a >>>> straightforward downgrade attack from anyone on the network. Do you agree >>>> with this so far? Do you have a proposed solution? >>>> >>> >>> In fairness, I'm not sure I quite follow. But, if I worked at a browser >>> vendor, I would be worried about DoH rollout too. I think I'd gradually >>> ratchet up the security signals in the location bar with the end result of >>> marking sites insecure if their IP was fetched over DNS in the clear. >>> >> >> Ignoring the UI question, let me push a bit on "in the clear". >> >> Currently, resolvers are configured by IP address, not domain name. So >> absent mechanisms such as TRR, how does the DNS client form a secure >> connection to the resolver? What domain name is in the certificate and how >> does the client learn that domain name? >> > > https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-04 discusses > mechanism to automatically bootstrap endpoints to discover and authenticate > DoT/DoH servers provided by a local network. The client securely learns the > domain name and DNS server certificate. > This draft does not seem like it has the general applicability that would be required in the scenarios that browsers often face. -Ekr > Cheers, > -Tiru > > >> >> -Ekr >> >> >> >> >>> This is distinct from choosing a DNS vendor. >>> >>> thanks, >>> Rob >>> >>> >>> >>> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason