IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Rob Sayre <sayrer@gmail.com> Tue, 16 July 2019 20:54 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9DE01200F9 for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 13:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02htG69zfbDD for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 13:54:15 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D4201200C1 for <add@ietf.org>; Tue, 16 Jul 2019 13:54:15 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id i10so42176743iol.13 for <add@ietf.org>; Tue, 16 Jul 2019 13:54:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zr4jV+4myDLA/A3SFFn82CQqPPxVadG+ikcrH5rb7r4=; b=qXxQQe4D/Ia9M4/Q6vmMuhn8aBN47CLOh3gFqLeDBnTiRn4Rm0i5DTEdhIZFNXNyOf uMKkglGcFlrB8xVbt+XZNwbpLcBx5lRxxRKLL2Ip0k+Czv9sM1Dbn4Gj75EBO+uOcuj4 OhW4igRKPWbxc8FSnxaBwGmZm/X8D/8kHVMxmNYSPaURF0lQUU3u0e3GLyJDklXCVjrq g38+nTwCe7ffklZEG0t4G/zcwJrQXOlBlRt8s9JwGU5EHCPk/c9pbwgKtUGZIByLBxyb yjXa9tapC6Q7cRBYglGKq9KS6/AE5nM4vVpWVNOmNtrzKbKJyEopebBm+PIKH8N/zvNz x7Dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zr4jV+4myDLA/A3SFFn82CQqPPxVadG+ikcrH5rb7r4=; b=WeUkpEYN87gaPn/MibJbGTGJXslzk+mL5p7kSfVpnVwo4ZAu7jrv21NwcgP6Dl7hbc 17cdzW7fvbI5eiOQIzPFo0NYr4Y3VPD2ynDYMebV2T44w5WjTCW4DUCDR7P2n6ij0Ah+ Ls8f9huzUOYkOl48BiTYwwTbM+x8/Nzc7qBz9K6u54sMq2ItldpQuH/bIHc558ZfPnJl pG47KfLERd7orU+ScQhcbPLxkbzJSLnIMQRH8ap0RinJftpt+I/vAa6T9nGhRPIpaebA 7K83lsQ8r3iv03H0r4+67J+fR4/3r6CMH/Rzyzp0f8dNCWABKg5oNVJwWMLrzVrT6dRT vcRA==
X-Gm-Message-State: APjAAAVCXS3XpEn3WHueWVgbWQwj1SISWHdfiD/ARHNa6FIKjMe9Yhwh lKWuoU8FSjPEoGDOAGKZgoShzEnqFg/wILyu2dQ=
X-Google-Smtp-Source: APXvYqwVo4113DemUruwBKTADZAqQpXCGrcLKDes9YPRbjgvKNwbUysk4ZzzVzj4GvQAzZMr4r3MkUt+0e0M6167/dA=
X-Received: by 2002:a5e:d618:: with SMTP id w24mr32992626iom.73.1563310454227; Tue, 16 Jul 2019 13:54:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <CABcZeBMxQgDZJs3BQkb7xiN6Gm=joBqLmTnHCO+TMdKQyUepOg@mail.gmail.com> <CAChr6SxN+72tY6_6tw-TeBWeYh4XQr-VRip_2LQh3Mnsk85GPw@mail.gmail.com> <CABcZeBPNevTZDXXXuRS87+YpZ8xY+Y79inW2x0AmPL2Hd9xNmQ@mail.gmail.com> <CAChr6SwYv66zuxCQv0FOjuqqsLxmVL++bK37x9G1S24XUKVgYg@mail.gmail.com> <CABcZeBOXfR0a+j0KF0FZPt=9ahNE0JsqO4=tg6Dr80TcBi895A@mail.gmail.com> <CAChr6Sz06FsM_ongo=kVgn5AO3ziawijFqBCRkmjOBXheggh2A@mail.gmail.com> <CABcZeBM99i_rrq7NM2bdkKt+N8n3R8qAPv3yUgOpSkpd69a3=Q@mail.gmail.com>
In-Reply-To: <CABcZeBM99i_rrq7NM2bdkKt+N8n3R8qAPv3yUgOpSkpd69a3=Q@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 16 Jul 2019 13:54:02 -0700
Message-ID: <CAChr6Swc87D5s2H0J8u3J=2tXguPbENQJkNvro=AUHHebEH_4w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Alec Muffett <alec.muffett@gmail.com>, add@ietf.org, "Dixon, Hugh" <Hugh.Dixon@sky.uk>
Content-Type: multipart/alternative; boundary="0000000000004c4a9d058dd294c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/BsLuTgS4NAlSFs5TfyAZkLw9Lms>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 20:54:17 -0000

On Tue, Jul 16, 2019 at 1:23 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
> I'm not saying it does. I'm just trying to work through the entire
> problem. What I'm arguing here is that absent external configuration (e.g.,
> DoH/TRR), there's no real way to get encrypted DNS that is secure against
> active attack.
>

I'm not arguing against DoH--it's great. I think browsers should enable it,
and then gradually start enforcing its use. I'm not sure what the best way
to solve the bootstrapping problem is, but installing some initial name
servers doesn't seem so bad. After all, it's already required that
autocomplete resolves to the right search engine, the update server is the
right one, etc. Of course, companies should be able install their own, etc.

I can't square that with a feature that automatically disables DoH in the
clear, as proposed. Bootstrapping secure DNS does change the power dynamics
of the internet a little bit (but not really that much... see VPNs etc), so
some people might get angry.

thanks,
Rob

v2.23.0 | Report a Bug | By Email