IETF Logo Mail Archive

Re: [Add] draft-grover-add-policy-detection-00

Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 15 July 2019 10:26 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F8AB12004D for <add@ietfa.amsl.com>; Mon, 15 Jul 2019 03:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PThi1ptW3-hQ for <add@ietfa.amsl.com>; Mon, 15 Jul 2019 03:26:57 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C217120096 for <add@ietf.org>; Mon, 15 Jul 2019 03:26:57 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id C3BE16A28F for <add@ietf.org>; Mon, 15 Jul 2019 12:26:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1563186413; bh=/OKCfavETPZSVS0ReXSxOnmfIkR9U0jcFOWvfowMtn0=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From; b=NUpuklH5Xt194Gr1nC/2buW5WXttivxE3UB0cCdGh5FV2ZZ8xBaeqOPNgQnhwOFdR xiWgp57Sv7TFnKQyDDnTt1nB5s7yPJyB9cFvrxj30VGaFYSL4Sd6aajDHQ544+zCVF 8T5S1vv6tNjMHnisF9zmP2h/qCcFoJ3HUfaoigqU7fiNx9N87h7v0eUq6dHTfZyvCO 5Lpbia9Y/PmLEIxBt/Gjn+w8sfwBMgYIK5RrY3869PJejRgzfs8dMJKVKEJFIJuxTs neRiQwSrKWhVUqSTUFwttPmfAOdB6gVI51/GJVK/ySMWlUGFelcIdcQ6qwbSrGbOd+ O0QrieP782tdQ==
Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id B6D903C0433 for <add@ietf.org>; Mon, 15 Jul 2019 12:26:53 +0200 (CEST)
Date: Mon, 15 Jul 2019 12:26:53 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Reply-To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: add@ietf.org
Message-ID: <1280826247.5057.1563186413694@appsuite-gw1.open-xchange.com>
In-Reply-To: <CABcZeBMJMMcCaqdq29gFdYYnaTE48XF8_gf8EbvKfJx2AiSzow@mail.gmail.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <D9B35B69-3C20-4275-ADCA-D990FC968022@groveronline.com> <CAChr6SzmVZNE-+kpSALpWEkPhdS8tN_6KhUxCzXETHro7nsH7A@mail.gmail.com> <CABcZeBMJMMcCaqdq29gFdYYnaTE48XF8_gf8EbvKfJx2AiSzow@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.2-Rev8
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/50KdJcVQ2TlW_8wpB6AYH0FfUOo>
Subject: Re: [Add] draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 10:26:59 -0000


Il 15 luglio 2019 02:30 Eric Rescorla <ekr@rtfm.com> ha scritto:

The question of whether it's a good idea is rather more complicated: at a high level we have a situation where nearly all DNS is unencrypted and sent to a resolver which is insecurely configured. Some of those resolvers do policy enforcement and in some of those cases, the user wanted that kind of policy enforcement, so just switching over to a secure Trusted Recursive Resolver potentially violates POLA, and it would be nice to be able to detect those cases and do something [0].
Also, often that policy enforcement is actually being done on behalf of the user to increase his/her security, so even if we only wanted to focus on maximizing security, the choice would be between connecting securely to a (from the user's point of view) less secure resolver, and connecting insecurely to a more secure resolver; which option of the two is in the end more secure depends on the specific case (threat scenarios and their likelihood), so I think each application will make its own choice, often asking the user. Of course the proper solution is to have a way for the users to connect securely to the more secure resolver, but in the meantime both options should be made available.

-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email