IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: publication of DoH Resolver policies

tirumal reddy <kondtir@gmail.com> Fri, 07 June 2019 08:58 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393EA12001A for <add@ietfa.amsl.com>; Fri, 7 Jun 2019 01:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.008
X-Spam-Level:
X-Spam-Status: No, score=-0.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slFahpfXPD43 for <add@ietfa.amsl.com>; Fri, 7 Jun 2019 01:58:07 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47210120099 for <add@ietf.org>; Fri, 7 Jun 2019 01:58:07 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id r185so827892iod.6 for <add@ietf.org>; Fri, 07 Jun 2019 01:58:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fJnYl0WzUuaIx9SQHJQihj5Xlw3bt0//cp0E8chdNqM=; b=X1EzSwgY/jRzizze2Q7JyLyTT9a442Nt3lYZLlONOFuwkm0UG+0l/bllIsQq4xbuB1 PgUTcQqla2vlr3fWPudpCcGyzLAnB7u35u+H+FWEBm2NtE0xrJ9ogfef8T4NVm9n1rXj +r095pfMCFVXR66AQiimjco0BvPDLAPL2jBraDoLoP8xz1+xIvtY48j2qKGUClDt7n7D sA8iflrMoWuqBXZULyPAS4+QD01YWlCthBZa0E/WP27/G8EWL/8owifPzxVXp8ma3fOM cK5Ky2iRyt+IOVxNE8gkmmQBuVhA+6w2d7EThxAquSS839f7c6DrDJaLQo1qeqw5tAOC zeaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fJnYl0WzUuaIx9SQHJQihj5Xlw3bt0//cp0E8chdNqM=; b=a1UGuSCTcUC8E9Ix9AeboJxKWk7kmL58STkuY9hd6WOF98+YhKwO8K28kASC0d7PAA 35jaI8elT9EhIZWcdFn+vKgFIEw/KBIBBtEtqWD6XQ6ZQ4Sh2RkKKVeaLWSHxa2fA5Op 3/QLn3zZ1Hf3y8MWaraGUqATaaq6rwBSU5SK62TacItERQw2IoSDrl14LHBnHyFdvqkZ kepqc19N5/bQGRn68z+Jgwwq58z+V5H+Q4SU/yzcCr/aub7YYuvKfYILqqgJ23MhJivG P2BnhC1NCj+QmauXp3G306o5rYPA0LChsrRYpEEO4bpDgJ08LxU6Zh64r1QArAEXwf69 KghQ==
X-Gm-Message-State: APjAAAVioPF7cdAJ9qkDhij+lypCHdVpur5n9qgt8TS3nH2/xwLALJc0 lACOMBcETSJKwCsUJpDuWxmYfjDiGY2snvg/biU=
X-Google-Smtp-Source: APXvYqwTzimfrNbqOyDhRGbzbQBg9u9sOkvLv6P83YhgA8n/WuZqVuc2p63a3qTQ5baqPaFc+V5LLjhncquLAOuC0Lw=
X-Received: by 2002:a5d:860e:: with SMTP id f14mr3085600iol.242.1559897886471; Fri, 07 Jun 2019 01:58:06 -0700 (PDT)
MIME-Version: 1.0
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com> <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com> <1DC2682D-1A1F-4B5B-BB49-B2DAAD8E7E7D@sky.uk> <CAFpG3gcdSAguw=UUjQru6mVJKsvoQu_1bY+2ha-KxFK49dyu5w@mail.gmail.com> <B5D02F73-C1D4-48BA-963B-F7D2BD2EAF3F@sky.uk>
In-Reply-To: <B5D02F73-C1D4-48BA-963B-F7D2BD2EAF3F@sky.uk>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 07 Jun 2019 14:27:54 +0530
Message-ID: <CAFpG3gfoMBtAxREfO4bx6roSpAV04adzsJaYWYd42D0hhUJPmA@mail.gmail.com>
To: "Winfield, Alister" <Alister.Winfield@sky.uk>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000068bc82058ab80734"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/4kyge5SsYgdtre6boJI2DPfP0Uo>
Subject: Re: [Add] [EXTERNAL] Re: publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 08:58:10 -0000

On Wed, 29 May 2019 at 16:46, Winfield, Alister <Alister.Winfield@sky.uk>
wrote:

> Fair enough, I’m just stating that not all queries/responses are known as
> potentially bad (malware / phishing) until after the fact. That simple fact
> is the reason some DNS providers choose to hold logs.
>

Agreed, updated logging type and duration as follows:

   LoggingTypes  ::=  BIT STRING {
     none           (0),
             -- No logging
     all            (1),
             -- Log all transaction data
     useridentity   (2),
             -- Log user identity (e.g., username, IP address)
     notifyuser     (3),
             -- Log to notify user access
             -- to certain domains is blocked
     knownmalware   (4),
             -- Log access to malicious domains
     analytics      (5)
             -- Log transaction data for analytics
             -- (e.g. to detect malicious domains) }

   LoggingDuration ::=  SEQUENCE {
        all          [0]       INTEGER OPTIONAL,
        useridentity [1]  INTEGER OPTIONAL,
        notifyuser   [2]  INTEGER OPTIONAL,
        knownmalware [3]  INTEGER OPTIONAL,
        analytics    [4]  INTEGER OPTIONAL }

   Logging ::=  SEQUENCE  {
     loggingTypes         LoggingTypes DEFAULT {none},
     loggingDuration      LoggingDuration OPTIONAL
                          -- Transaction data is cleared
                          -- after logging duration,
                          -- Negative one (-1) indicates indefinite
                          -- duration  }

Updated draft is available at
https://github.com/tireddy2/DPRIVE/blob/master/draft-reddy-dprive-bootstrap-dns-server-04.txt


Cheers,
-Tiru

>
>
> Cheers
>
> Alister
>
>
>
> *From: *tirumal reddy <kondtir@gmail.com>
> *Date: *Wednesday, 29 May 2019 at 11:54
> *To: *"Winfield, Alister" <Alister.Winfield@sky.uk>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *[EXTERNAL] Re: [Add] publication of DoH Resolver policies
>
>
>
> On Tue, 28 May 2019 at 22:06, Winfield, Alister <Alister.Winfield=
> 40sky.uk@dmarc.ietf.org> wrote:
>
> It would be wonderful if every malicious domain was known prior to its
> use, sadly except where a DGA is known that’s not the case. So it can be
> useful to have a little historic information to see the extent of the issue
> once it’s become known.
>
>
>
> DGA is just one technique, malicious domains like C&C domains can possibly
> be identified by inspecting TXT records (used to send commands to the
> compromised host), fast flux service network etc.
>
>
>
> Cheers,
>
> -Tiru
>
>
>
>
>
> It’s also true that with performance issues unless they are very obvious
> (eg impacting say Facebook, Google, Amazon etc), operators necessarily rely
> on analytics or customers to complain. Given issues can be transient or
> periodic only a historic record can provide insight into the root cause.
>
>
>
> Alister
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of "Livingood, Jason" <
> Jason_Livingood@comcast.com>
> *Date: *Tuesday, 28 May 2019 at 16:43
> *To: *tirumal reddy <kondtir@gmail.com>, Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> First – thanks for the pointer!
>
>
>
> Comment – things like ‘logging’ seem very binary. What about default
> logging = no except if FQDN = malware C&C, in which case yes (to support
> notifying the end user of infection)?
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Date: *Monday, May 27, 2019 at 9:12 AM
> *To: *Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com> wrote:
>
> On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > If the DOH server provided by the network offers the same level of
> privacy preserving data policy as the DOH server pre-configured in the
> browser, Why shouldn't the browser use the network provided DOH server ?
>
> How could the browser tell that both DoH servers have the same policy?
>
>
> How does the browser (or anything else for that matter) know what some
> arbitrary DoH server’s privacy preserving data policy is? Where will this
> be documented and published in a way that a web-based application or the
> end user can understand and then make an informed choice?
>
>
>
>
> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-dprive-bootstrap-dns-server-03%23section-10&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943132005&sdata=meQxjGhaC2hZmVFpiavQeLq7XK6o83WzHghsCIyiPSY%3D&reserved=0>
> defines a new privacy certificate extension that identifies the privacy
> preserving data policy of the DNS server, it is in a machine-parsable
> format.
>
>
>
>
> Now rinse and repeat that for other server-side policies: data retention,
> GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS
> behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware,
> etc, etc.
>
> Oh, and if some DoH server says “I do QNAME minimisation” (say), does the
> browser or end user simply take that on trust or would they somehow be
> expected to verify that for themselves?
>
>
>
> End user typically does not trust DOH server in a untrusted network (e.g.
> public WiFi network) and may only use the DOH server provided by trusted
> network (e.g. Enterprise, Secure home networks), similar to the way users
> disable VPN connection in specific networks and enable VPN connection by
>
> default in other networks for privacy. In addition, the privacy extension
> includes a URL that points to the security assessment report of the DNS
> server by a third party auditor.
>
>
>
> Cheers,
>
> -Tiru
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky Limited and Sky International AG and are used under
> licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075), Sky Subscribers Services Limited (Registration
> No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or
> indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the
> companies mentioned in this paragraph are incorporated in England and Wales
> and share the same registered office at Grant Way, Isleworth, Middlesex TW7
> 5QD
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&data=02%7C01%7CAlister.Winfield%40sky.uk%7C12d61a8dd0ee460e0ac308d6e4241425%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636947240943142013&sdata=qU0MLdTjX%2FmsjLEqcy8OCYsKXJRlGQLxA7e7%2B6eno1o%3D&reserved=0>
>
> *--------------------------------------------------------------------*
>
> *This email is from an external source. Please do not open attachments or
> click links from an unknown or suspicious origin. Phishing attempts can be
> reported by sending them to phishing@sky.uk <phishing@sky.uk> as
> attachments. Thank you*
>
> *--------------------------------------------------------------------*
>
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky Limited and Sky International AG and are used under
> licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075), Sky Subscribers Services Limited (Registration
> No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or
> indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the
> companies mentioned in this paragraph are incorporated in England and Wales
> and share the same registered office at Grant Way, Isleworth, Middlesex TW7
> 5QD
>

v2.23.0 | Report a Bug | By Email