IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

"Livingood, Jason" <Jason_Livingood@comcast.com> Mon, 22 July 2019 16:42 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F2F120347 for <add@ietfa.amsl.com>; Mon, 22 Jul 2019 09:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6iKfS9Iba1uj for <add@ietfa.amsl.com>; Mon, 22 Jul 2019 09:41:59 -0700 (PDT)
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ABFB12030D for <add@ietf.org>; Mon, 22 Jul 2019 09:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1563813718; x=2427727318; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qARnlAMgI0U+aBzUl/+2sY8jAhcb9JMi5MLR3K58lz8=; b=uh7PB58+7Vk/mJIAlAvlZ3bPmj1f2isy3r6IBiAGBhb/RUVTUDZERfT7Zo7VSE78 b9dxDBssV5yBpWh6UkHzQmR+fJ+3pL/1wraXtzXZGWr+xPZCPkLCTAs4kAvVhqgP Ue5Bp/cX4oQRVcdCuAg1S6Mgx6YNLBX6FhyVUa+XQZLVtNIvuN6ULggVNmFZa0UX 0Z9KhewsSzk2/qfoa3UPoPLYU4O1G/fEyqb/VN7gvcYFMmVdbWSTqKlUCJMnkoti FzJsGeAD/OZLWtzC4x7AxTfwoccCuXJq0R/lG6mWbxf5xO/9XmFZNIdI7yZRTZxz 0QSvDQkBM+42mu6rcn6bRA==;
X-AuditID: 60729ed4-20fff700000013e0-8c-5d35e7568555
Received: from COPDCEXC36.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id D0.F1.05088.657E53D5; Mon, 22 Jul 2019 10:41:58 -0600 (MDT)
Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC36.cable.comcast.com (147.191.125.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 22 Jul 2019 12:41:57 -0400
Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1713.008; Mon, 22 Jul 2019 12:41:57 -0400
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>, Ted Hardie <ted.ietf@gmail.com>
CC: Vittorio Bertola <vittorio.bertola@open-xchange.com>, "add@ietf.org" <add@ietf.org>, Neil Cook <neil.cook@open-xchange.com>, Rob Sayre <sayrer@gmail.com>
Thread-Topic: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Thread-Index: AQHVO+Hh5aPtQvEEk0q6d5pi9A2P/6bNoEQAgAAD9oCAAAkDAIAAE/GAgAAYiICAAAOPgIAAAlmAgAAFggCAAJ93gIAAM9YAgAB6ioCAAAPEAIAABUeAgAAthACAAARTAIAADiAAgAARVQCAABPhgIAHKsQA
Date: Mon, 22 Jul 2019 16:41:55 +0000
Message-ID: <081FF993-1678-409F-9BD6-A054AA6D34E7@cable.comcast.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com> <ABBFB472-DC7C-48E2-999E-C364BFD3260E@open-xchange.com> <CA+9kkMBO3LAhVmC+PzBoO7V5vzrfeYyrEPdq6s5nRBrYniqaNA@mail.gmail.com> <CAH1iCiqsSWRm7hbwcaoRYUaoLf-DCDXw8cZy7abaYbOAMjJBPw@mail.gmail.com> <CA+9kkMBjL5VqiH+vjxgTFq2d76O0yoyeJdQF6HhKvO_pOdzDgA@mail.gmail.com> <CAH1iCio9ktw2N+tLq9bkGCT3H9SN5AyqHst11hWKY_YwbFxVJw@mail.gmail.com> <CA+9kkMBa67gKSFf04pRPS8KxhCupvRm44gKQE_v4J6SNbj5zxg@mail.gmail.com> <CAH1iCioO2yQ_VH-_R+04ShsEXm+-T8agyGc_aRfCBw==i9gdEw@mail.gmail.com>
In-Reply-To: <CAH1iCioO2yQ_VH-_R+04ShsEXm+-T8agyGc_aRfCBw==i9gdEw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-originating-ip: [68.87.29.8]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FC343D9846FDAA439E49641C9EC091D2@comcast.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMKsWRmVeSWpSXmKPExsWSUDRnsm7Yc9NYgzPNKhb/T69js2i7y2HR cWUri0XnrAlMFo1z7SxendzJ7sDmsXPWXXaPJUt+MnnMejyRPYA5qoHRpiSjKDWxxCU1LTWv ONWOSwED2CSlpuUXpbomFuVUBqXmpCZiVwZSmZKak1mWWqSP1Rh9rOYkdDFlHHk+h61gC2fF s09NzA2MUzi7GDk5JARMJKZ+/8/UxcjFISRwhEnifOt0NginhUli8aRJrBDOaUaJCc0zmUBa 2ATMJO4uvMIMYosIhEgs7G4EK2IWWMgosWfab3aQhLCAm0TXlhdMEEXuEn0zXoKNFRFYxSjR OeMzK0iCRUBVYu/qFWANvAIuEreb57NArHvGI9G6YwJYN6dAoMSEFbsZQWxGATGJ76fWgMWZ BcQlbj2ZzwTxhYDEkj3nmSFsUYmXj/+BLRAV0Jf4cm4TC0RcTqJnRyvQHA6gXk2J9bv0IcZY SXw985YNwlaUmNL9EOoeQYmTM59AtYpLHD6yg3UCo+QsJJtnIUyahWTSLCSTZiGZtICRdRUj n6WZnqGhiZ6hqYWekaHRJkZw0pp3ZQfj5ekehxgFOBiVeHhtL5vGCrEmlhVX5h5ilOBgVhLh zTMACvGmJFZWpRblxxeV5qQWH2KU5mBREufN26sTKySQnliSmp2aWpBaBJNl4uCUamDckv1U XaArrNR6h9yfWYHev89fesRyQajT4FHvL7M9xtviX79lXL1l+d4H827MvP1494p/L671BRre Zp7WpRby7ci25V8fhrFc9o05ZSmce9293+JSof7hDWrxUzVrPs9Z7KNikn1OuYK97bfVGcO5 wU1/C7X4zaR3PlhnLrnchocrspJtip20EktxRqKhFnNRcSIAbXH4m1YDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/55OJYqN7dNdu3ExN86qb0eTUNlg>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 16:42:05 -0000

From: Add <add-bounces@ietf.org> on behalf of Brian Dickson <brian.peter.dickson@gmail.com>
> Many of the common issues between "shenanigans" and DoX usage, would benefit from client-side DNSSEC validation.
In particular, the behavior of DNSSEC validation failure (returning SERVFAIL) works well with the use of multiple resolver and protocol "lists" (hierarchical structures).
> I am proposing doing so via DoT, and preferably also with DNSSEC client validation..

[JL] It seems interesting to consider the question of whether a DoT or DoH resolver SHOULD or MUST also perform DNSSEC validation. As well, I wonder if many of the organizations that are currently working on deploying encrypted DNS or have already done so should also take steps to sign all of their key domains - because it certainly seems worthy goal is to achieve both channel and content security.

v2.23.0 | Report a Bug | By Email