IETF Logo Mail Archive

Re: [Add] [Ext] My single use case

Eric Rescorla <ekr@rtfm.com> Mon, 14 September 2020 12:48 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B673A083A for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 05:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOr30ZY8Fhyl for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 05:48:37 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D3D3A0832 for <add@ietf.org>; Mon, 14 Sep 2020 05:48:37 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id u8so13291886lff.1 for <add@ietf.org>; Mon, 14 Sep 2020 05:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p2J1qh0qr0YCjkXHIlFPGtoWmC5LliHdh/r/Zjs3mRM=; b=CIWBLNhbUy98hpbteCEzy9OWPl+AmaPjB1tV1xhf8O5OOtF/jvVMSTcl1TnZTj/Cjo aFs5IQ0T0OrMRY5vAx0u6FmL2N8skGm5qUoSm7sEBTozuUpMhF1qyaDhedSZv/1wi9ja 4YG7A7qpd7tlaO1CkstNtcyx85GN9gOYuEvL1CAKcPaLApyqqrGAjWHVs2J7xxs77GQt N1ahjraGMrz1rY8LRuYupFloYlOmqMUkE5Yads9ut362dY+x8wpAR/We08f2RUiaUp7y cP8KJMyQaQUWnod7GRrgxzgAwOGvOct5OhL9tatsDVl72Ng7fawugKmNagYZQ6bb7OTt j8lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p2J1qh0qr0YCjkXHIlFPGtoWmC5LliHdh/r/Zjs3mRM=; b=I8S3yWrTcdrc65hP4HTtHX4IX3ECC4uIxbHAM0u5GZ25SJC8ZPr3ApKb4i0JYh4OMy NSOpPyUvF7UbiBV36w9wdeEGsQ3mHttLkLVaLnQtoY2rjxoqu2dXCT8IotjhIWI/P6ZW cnvwNCv5c4Q2bJGpi5Boqg5sDm7nxtdRUtTKoTayb5UG1f9eFCDqJStCA0uegqZ+8rN5 MFDx36xO0S/zEDFf2FxIpo2ltQU6HfVHCuzPvL1gh+UWoAZmq3DukSfMzJ6HY/YV8IUY xYYnJrTt0PK53RW5ZkyUZ1DWHGH/+u2WbrjMYSdBeUL8u/Jrlub8rNbeXIG4DKSAge9K 8HiQ==
X-Gm-Message-State: AOAM532JCLL0BtZiemZQ2eU41nxxa2qyBwTV+oOFUunuE6xf6eFcfco3 4H8H54Hqm6XJRO9wtoX/7ab9LHA+48ypCEpAwN6/tg==
X-Google-Smtp-Source: ABdhPJzu8/FSkYH4kbmSBjcF616kEekjrUtmkGdLHLlts+fiZdlKvipDK/ObHdu68hS13fCK/hhvt8AK3fgy+lx4P0w=
X-Received: by 2002:a19:604e:: with SMTP id p14mr4123389lfk.385.1600087715262; Mon, 14 Sep 2020 05:48:35 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <CAFpG3ge=fyBOKsjZr+uK+kdmUsp0U1+osJjHSiwB9V59ctq=RA@mail.gmail.com> <CABcZeBPOjAor0js5RYkpzm0-6-Awx8Px06ycwu_W5XWakxYt2w@mail.gmail.com> <CAFpG3gfUr86haKDrMGTt7YjEG4uufdwF=16SbGb+5xs8JrLteg@mail.gmail.com> <3C102757-D2CF-41A3-965B-85471722A1EB@icann.org> <CAFpG3gf+z2eBRL+GT5THvr1M4J_r3CkH2=MY62zS18FPrB6zwA@mail.gmail.com> <CABcZeBOLbnbr7kSkJuJLUcRjftTWycDmcLV=6ux1ryic217y3g@mail.gmail.com> <CAFpG3gf=4n7n+9YTNwwRnMAptiQGGJV6MsDMuHQkJW8aLZrxHQ@mail.gmail.com>
In-Reply-To: <CAFpG3gf=4n7n+9YTNwwRnMAptiQGGJV6MsDMuHQkJW8aLZrxHQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 14 Sep 2020 05:47:58 -0700
Message-ID: <CABcZeBPm2SfjJJn6gP1t=-D3aEV9pgrsheBNDEiX-ddWeOVybA@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e0c3c905af45737d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/4HSZNOYTHj5qmBB8Z4-xj4gpoAs>
Subject: Re: [Add] [Ext] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 12:48:39 -0000

On Sun, Sep 13, 2020 at 11:47 PM tirumal reddy <kondtir@gmail.com> wrote:

> Hi Eric,
>
> Please see inline
>
> On Fri, 11 Sep 2020 at 20:57, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Fri, Sep 11, 2020 at 8:18 AM tirumal reddy <kondtir@gmail.com> wrote:
>>
>>> On Fri, 11 Sep 2020 at 20:21, Paul Hoffman <paul.hoffman@icann.org>
>>> wrote:
>>>
>>>> On Sep 11, 2020, at 5:06 AM, tirumal reddy <kondtir@gmail.com> wrote:
>>>> >
>>>> > On Fri, 11 Sep 2020 at 16:45, Eric Rescorla <ekr@rtfm.com> wrote:
>>>> >
>>>> >> For wired network you plug into the wall.
>>>> >> For a wireless network, someone gives you an SSID and a (common)
>>>> password.
>>>> >>
>>>> > You seem to be referring to home/coffee shop use cases and not
>>>> relevant to on-boarding devices in an enterprise network.
>>>>
>>>> It is wrong to say that Ekr's model "is not relevant" to enterprise
>>>> networks.
>>>
>>>
>>> I only meant common password is "not relevent" to an Enterprise network.
>>>
>>>
>>>> Some enterprise networks use extra configuration for handing out
>>>> resolver information,
>>>
>>> many enterprise networks (including the one I'm using at the moment) do
>>>> not.
>>>>
>>>
>>> Yes, it depends on the enterprise network. In addtion, whether it is a
>>> IT-owned devices, BYOD with MDM or configuration profile or a BYOD with
>>> unique credentails. The use case should consider all the above type devices
>>> including IoT devices.
>>>
>>
>> I disagree with this. In particular, I do not think it should include
>> anything that is managed (MDM, enterprise config, etc.) because those
>> entities can just directly configure the DNS provider. It might still be
>> useful in some way to have a signaling protocol, but it is a far lower
>> priority.
>>
>
> If the discovery protocol works for unmanaged BYOD, it would also work for
> other types of devices.
> I understand device management tools can be used to provision managed
> devices with network provided encrypted resolver but it is not yet fully
> supported, for example (1) configuration profile (provisioned using OTA)
> does not yet support configuring the encrypted DNS resolver and the
> configuration profile is specific to Apple (3) I see policies (GPO) can be
> set on Chrome/Firefox and OS like Windows to use a DoH server but not sure
> about other OS/Browsers. (3) I don't think MDM (from several vendors)
> supports encrypted DNS server configuration yet.
>

So? Any of this would require something to change on the endpoints. The
question is what the appropriate change would be in this setting (if any),
and what I'm saying is that the appropriate change is to use the existing
device management.

-Ekr


> -Tiru
>
>
>>
>> -Ekr
>>
>>
>>>> It's fine to say that Martin's use case is not the use case you
>>>> personally are interested in; please don't dismiss it as "not relevant".
>>>>
>>>
>>> I am interested in the use case :)  I would like to understand whether
>>> the use case is for a Home or Enterprise network.
>>>
>>> Cheers,
>>> -Tiru
>>>
>>>
>>>>
>>>> --Paul Hoffman
>>>>
>>>> --
>>> Add mailing list
>>> Add@ietf.org
>>> https://www.ietf.org/mailman/listinfo/add
>>>
>>

v2.23.0 | Report a Bug | By Email