Re: [Add] [Ext] Updated charter proposal for ADD
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 15 January 2020 21:26 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA3C12098E for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 13:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2m_MwXeGwqx for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 13:26:21 -0800 (PST)
Received: from mail-vk1-xa29.google.com (mail-vk1-xa29.google.com [IPv6:2607:f8b0:4864:20::a29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4264120A4C for <add@ietf.org>; Wed, 15 Jan 2020 13:26:20 -0800 (PST)
Received: by mail-vk1-xa29.google.com with SMTP id w67so5160132vkf.1 for <add@ietf.org>; Wed, 15 Jan 2020 13:26:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5SDw3ixueETGQzWBWJFG3runxkZ6oyTQBVPOQ1Uaon8=; b=b6cC+MaWXvqhbXmZi2ykux15xtB5PZEzNNva/CiJII55aQe5OcjNOvy0VcdmdlMBQt r2JHunAT3u6io4tfibCU2LSpbc3pnwHSxm13mfcsuZCrDxo6/jqWW0GvibiPjnZu1g+Y TMfMnIOHDgRoWfdhgn9wMOp8EQQaFp+5W5v+fUwTXE1UR9OfB/r9pufSg94lHaZVTPJ+ AV8tCq97DVVhgEz4KTvFlVvZ0DTglujEMejr+yrSgt34whD5SCphV9PUnxdeLsSqJmov I6R6ujCTgayfsGL+U0cem3cVM47sygKRAKMpBa/0a5eii0DTDNOjGRtmw3vh1JXql7Kg Kowg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5SDw3ixueETGQzWBWJFG3runxkZ6oyTQBVPOQ1Uaon8=; b=OsHx6aUyfhKLahxonJWsEYBuqY52vxwnH3TL3ex6Ad+cbrTudDVG2ts4P08kynruI8 UdFTyuzQJa+p71Nt6BIkoIoum3hgxqwivhCPW3gFGoaMPQiGbUvPFe4sj5baEVJHcdF5 YJoBIam15U7lywc5cOjxagunafjOV7UXrTbCw46o7xcv9Mg1BgDgf/d1pBMcd0UtBTcs J7ufAQ10Ot9tl9Tu7FiKMeuRxLIVV6zw/eeagxBa/pY8ttBjjEYp8CorQl1L3NCMjNYF +jEjshcTl/q2nTOBvgc5b+vVpy+PGhEuiDA7QTD9RQzxa2jYSyLa51dhZylcSwZ4ryp+ Ygng==
X-Gm-Message-State: APjAAAWGMEMemb7knuMUNQzODoWSHw/6LvsSn/QWxJlttnmedg1Vh4KL 9KiVjcf7CJ3fle8E+J/HcQzhsT98xhX3ljn4PdQ=
X-Google-Smtp-Source: APXvYqwPsqTcqJS47eac5g3/615emoR3QhyRePsEAaltaHx1C0IAoLdW/HEXb+4vWOZaCv+QEBSeMf/vx2Nwj4XjlWw=
X-Received: by 2002:ac5:cdcd:: with SMTP id u13mr19180640vkn.0.1579123579845; Wed, 15 Jan 2020 13:26:19 -0800 (PST)
MIME-Version: 1.0
References: <236B0A34-8C7F-49D2-8075-5AF5AC35BDFB@apple.com> <AD6E599F-96E8-44FC-8A05-8BFD2F659129@icann.org> <66C24EE6-5C7B-4788-AE26-06B900915010@fugue.com> <CAChr6SzcuomCFisPhLHYfQGzbR2=yYhtsGHV8+kd5gCdJn+ABA@mail.gmail.com> <LO2P265MB05730A944404EFD86DF99E8CC2370@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CAChr6SzygCAMGUXmOL9Hb_w5CgjeFK30KodystPYPt4jD6Fkeg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E611537457D1@GAALPA1MSGUSRBF.ITServices.sbc.com>
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E611537457D1@GAALPA1MSGUSRBF.ITServices.sbc.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 15 Jan 2020 13:26:08 -0800
Message-ID: <CAH1iCiqr9NmudeRLf9QMPaPTUBcQmi=sYGhN397oGM1b+YMPNw@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: Rob Sayre <sayrer@gmail.com>, Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000087ff6059c345c84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Ccn9hqLu1f4nfZlQIPseMVgSBms>
Subject: Re: [Add] [Ext] Updated charter proposal for ADD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 21:26:26 -0000
On Wed, Jan 15, 2020 at 1:01 PM STARK, BARBARA H <bs7652@att.com> wrote: > > > On Wed, Jan 15, 2020 at 11:47 AM Andrew Campling < > andrew.campling@419.consulting> wrote: > > On Wed, Jan 15, 2020 at 19:24 Rob Sayre <sayrer@gmail.com> wrote: > > > Right now, my DNS server is 192.168.86.1, and encrypted DNS seems > designed to bypass it. > > > > Well, a lot of networking products (both consumer and corporate) have an > unencrypted DNS server on a private IP. > > > > I was wondering how the certificates would be constructed if they wished > to offer DoH or DoT. I know public services are able to get certificates > with SAN[1] extensions containing public IPs (e.g. the Cloudflare cert for > 1.1.1.1). That doesn't seem to make sense for private IPs, so I'm wondering > how private networks will offer encrypted DNS, and whether the debate > around the security considerations is important. > > > > thanks, > > Rob > > > > [1] https://tools.ietf.org/html/rfc5280#section-4.2.1.6 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5280-23section-2D4.2.1.6&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=8_yvv1il3zewjGy7Q4S4OtQitnmASPvjF6La_TDH_6U&s=DIByZeZTbnVQz-bhge3oVFvDzYJTHKdgueM0_z-8W7s&e=> > > > > <bhs> Discussions I’ve had with people so far have been along the lines of > (1) we’re not aware of any user-friendly/easy way to get a certificate into > consumer routers that will be ok’ed by a CA in browsers’ trust stores, (2) > the user experience of doing https to a consumer router from a browser is > pretty horrible and scary, (3) some of these routers (e.g., Netgear) don’t > even allow users to change what the router sends in DHCP/RA (it’s always > the router’s private IP address; but the user can change what recursive > resolver the router then uses), and (4) many people are unconvinced that > the threat of compromise inside the home network is worth the effort and > negative user experience.</bhs> > > The other relevant question for those consumer boxes is whether they are full resolvers, or if they are merely forwarders to an upstream resolver that they learn from e.g. DHCP or RA. (Some even advertise their own IP, but only do NAT without any real DNS functionality, and literally forwarder the packet, rather than the query, from what I understand.) If the upstream resolver can be identified and is reachable directly, that potentially makes the middle box a moot point, as the client would have the ability to do whatever the WG adopts, to the real upstream resolver. Making that sufficiently user-friendly on the client side, and scalable and operable on the resolver side, are pertinent questions. I expect the user experience would be better, and the security model much better, when bypassing the middle box. The threat potential would still exist outside of the home network if a forwarder was used without using an upgraded transport, between the middle box and the upstream resolver. This threat would be addressed indirectly if/when the middle box were bypassed entirely. This model presumes the upstream resolver is the resolver discovered, and would not change the actual (functional) resolver being used. Brian
- [Add] Updated charter proposal for ADD Tommy Pauly
- Re: [Add] Updated charter proposal for ADD Neil Cook
- Re: [Add] Updated charter proposal for ADD Paul Adair
- Re: [Add] Updated charter proposal for ADD Diego R. Lopez
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] Updated charter proposal for ADD Livingood, Jason
- Re: [Add] [Ext] Updated charter proposal for ADD Robert Mortimer
- Re: [Add] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Dave Lawrence
- Re: [Add] Updated charter proposal for ADD Jari Arkko
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Alissa Cooper
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Barry Leiba
- Re: [Add] Updated charter proposal for ADD chris.box
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD STARK, BARBARA H
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Stephen Farrell
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Martin Thomson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] Updated charter proposal for ADD nigel.tedeschi
- Re: [Add] Updated charter proposal for ADD Smith, Kevin, Vodafone Group
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] Updated charter proposal for ADD Vittorio Bertola
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Ted Lemon
- Re: [Add] Food for thought? tirumal reddy
- Re: [Add] Food for thought? Ted Lemon