Re: [Add] Fwd: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt
Ben Schwartz <bemasc@google.com> Wed, 06 October 2021 16:00 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DF1A3A1E80 for <add@ietfa.amsl.com>; Wed, 6 Oct 2021 09:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.855
X-Spam-Level:
X-Spam-Status: No, score=-16.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsF4N3yp6P5F for <add@ietfa.amsl.com>; Wed, 6 Oct 2021 09:00:47 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37683A1E81 for <add@ietf.org>; Wed, 6 Oct 2021 09:00:47 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id f2so3476785vsj.4 for <add@ietf.org>; Wed, 06 Oct 2021 09:00:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=no4V6StkeXbIU/aARv2eJviVw5JLcScBO3EVFrByJTo=; b=FNennAt7H0nPqqirKzBpjf+jrIreWD4suxnNKLLct7lracwHezjQB60HBMM1VGc13S eKOUxJYHBcG8D8jR3RoTullu57ZVdC7gNh71AV8TmaDb/+0zGCyWboshhijSo6ACaCCA LW6lPgmYL3J4nVig3JTMqugumTKCs2MNT9EPrp/LU1cgQwg3gpmtj+oc6C50SnVBqe9+ zBmhwRuO5nOYFYCkqmSYO4/e8cjf6Yu+AxOEGReLEPuTt52+7M1JyGBAbr3xTuzJrGHt 7hHERjjhU7JXBOeQKr7O5+W5BFhV9vbiC02Z2M5fjqm83CBMAydkftlygeyXTAvUrSON VbnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=no4V6StkeXbIU/aARv2eJviVw5JLcScBO3EVFrByJTo=; b=WVgnVReMC07UOjRtgt9xHkXbY4uErV0L01B3zMx2OfkoGdUP6CeNI3eKM1AAfXag6F 1sE++2DmoP1oP3WHx6LPFDQy1m9Ji33W5UKIETEDNVjW/TNeGn76oEmyQzHJtjrgEXKc TsTYWFQrf3JgLh/YDYIqaRFbyuGPmVabF3ZAKUJov/wcTRZDAsTDCDUL36Pp2gmutuiX oK5AIlwT/Ud8OVpX0yDRhB1oMy7kK/JL3iHQJfKfNJGJBU1nNKr/lzOFXYdXKvuCnEaa AVxxLifc5zxP91o/htgNe9O4NmNSpdTn1h/zvErX3GXTlVExInMQOd6CgLbXv+vdDzK0 nN5A==
X-Gm-Message-State: AOAM531hal11H1rtv91hucxb4k+Cn5DEhFt/9HZcXwGyv/oPWOZzELSO xEVigwqgm6moCi4GRhkpcqBGtafrZbu6p2RxEeGFZw==
X-Google-Smtp-Source: ABdhPJy1sxK5S1H02WsXXL39pPHKaJoEvAF36WuVB4wjLz5KBBg5QmcdSPID8VjuxO+YZR+8ZYaTE3G2MQ+wnrawTzg=
X-Received: by 2002:a67:d996:: with SMTP id u22mr14274037vsj.12.1633536040413; Wed, 06 Oct 2021 09:00:40 -0700 (PDT)
MIME-Version: 1.0
References: <163223345857.28587.9301450225704997678@ietfa.amsl.com> <CAHbrMsDL-QKF-xn0Pz2FrrDoHHRoqKfBkuDoBkuZucDFh8KSQA@mail.gmail.com> <DM6PR02MB69247B06F32349B37CA9A728C3A49@DM6PR02MB6924.namprd02.prod.outlook.com>
In-Reply-To: <DM6PR02MB69247B06F32349B37CA9A728C3A49@DM6PR02MB6924.namprd02.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 06 Oct 2021 12:00:29 -0400
Message-ID: <CAHbrMsApddTo0=mTcmCCgNDw0uBnPioNh67ednxo8W-Gm25opg@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000998ec205cdb13f04"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/CaM6d78bHnqvuDa4tbXAUyy-YQU>
Subject: Re: [Add] Fwd: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 16:00:54 -0000
On Fri, Sep 24, 2021 at 9:51 AM STARK, BARBARA H <bs7652@att.com> wrote: > Hi Ben, > > I really like the idea presented in this draft. I think it could be very > helpful to many end users – allowing automated upgrade to DoH for people > behind DNS proxies who aren’t using any filtering in those DNS proxies. > Thanks! > I have just a few comments. > I've proposed changes to address some of them here: https://github.com/bemasc/ddr-forwarders/pull/3/files?short_path=1dd9b41#diff-1dd9b41c1d07a52069cc813ecb21901ad48aa5fd4b5cccf6c664930d42e92449 > I think there needs to be a more complete definition of “non-public IP > address” (or perhaps a more refined and specific set IP addresses of where > this relaxed validation might be considered). > Agreed. The proposal changes the terminology to "private IP address", defined as "Any IP address reserved for loopback [RFC1122], link-local [RFC3927], private [RFC1918], local [RFC4193]), or Carrier-Grade NAT [RFC6598] use". > I’m thinking it might be good to restrict to an IPv4 address on the same > subnet, an IPv6 address in an on-link prefix, > I haven't imposed this restriction, because it doesn't seem to be necessary. If DHCP says the DNS server is 192.168.0.5, and the client's address is 10.0.0.123, the logic of this draft still holds. > or 127.0.0.0/8. This latter would be for clients that make use of stub > resolvers. > Added. > Note that an IPv4 subnet and IPv6 on-link prefix could be comprised of > globally routable addresses – so not necessarily “non-public” as some > people might understand that word. > > But since we’re all trying to head for IPv6, I think it’s good to > recognize that the IPv6 address being advertised for DNS proxies tends to > be from the delegated prefix and not ULAs. And it might be good if we could > support this case. > > This document is focused on the case where the DNS server is only known by a private IP address. In this case "opportunistic security" is the best we can do, because cryptographic identity validation is not possible. This draft is about exploring subtleties within the space of opportunistic security. If the DNS forwarder is identified by a public address (IPv4 or IPv6), then it could get a TLS certificate for that IP address. A client policy that doesn't require authentication in this case, even though authentication is possible, would be a much bigger departure from baseline DDR. I would prefer not to describe that behavior in this draft. I’m not too sure about the 6.1.1 mitigation solution related to > implementing DNR. It’s not that it’s necessarily wrong -- it’s just not > really a part of DDR-based discovery and there’s no rules around how DDR > and DNR interact. > The DNR draft claims to override DDR. I've added a reference to the relevant text in the DNR draft. > I think the 6.1.2 and 6.1.3 mitigations should somehow be strongly > recommended in conjunction with this technique. Though I understand the > desire to avoid normative language, I still think it would be beneficial to > use some lowercase recommending words. > > OK, I've written a stronger warning at the top of this section. Thanks for the comments, Ben Schwartz >
- [Add] Fwd: New Version Notification for draft-sch… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… STARK, BARBARA H
- Re: [Add] Fwd: New Version Notification for draft… Chris Box
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz