Re: [Add] Communicating DNS blocks (was Re: A thought -- Move the policy decisions outside the application.)
Vittorio Bertola <vittorio.bertola@open-xchange.com> Thu, 29 August 2019 09:40 UTC
Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DDF312002F for <add@ietfa.amsl.com>; Thu, 29 Aug 2019 02:40:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CD04LyIQiuzz for <add@ietfa.amsl.com>; Thu, 29 Aug 2019 02:40:00 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E4751200A4 for <add@ietf.org>; Thu, 29 Aug 2019 02:40:00 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 5D11D6A298; Thu, 29 Aug 2019 11:39:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1567071598; bh=MZs/WFvZC4YLEJDalL/S2grn4zPtqUHxtMySZaSA5us=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From; b=CGSCLoyr4QDD+G1W8TW0hKHyifwkikML6mnlsrXRmIYM0MTx6lEqLlC1OFx/NuKD3 V5CoJY39Ad0Skx+IYtYcqUwPvea5TuQrAP+6/daZr6n7wbZejsRhF8GCIXWpBSsNxg P6Rf5VDocno9JhYHGjY5J7s6QeM+s2wiasc4+khnAuKhKny9tBwYM15vViIfrilSIK wLg/WzoGSccZQw3h0Pnx+Bhef3Bg8HoZmfOKWK3i31ZMNSafhRPt4NipEggbZIBs1e GYBG+eSRb7SK782/D6PxYqhZ67ZqsKtq9COdoSvLmIxucobXj0WPorvgLnTFacRgnG bw4LLZVn2mOtA==
Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 50CB93C0434; Thu, 29 Aug 2019 11:39:58 +0200 (CEST)
Date: Thu, 29 Aug 2019 11:39:58 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Reply-To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: "add@ietf.org" <add@ietf.org>
Message-ID: <1110168181.927.1567071598280@appsuite-gw1.open-xchange.com>
In-Reply-To: <3B94868F-435F-4C8F-986D-C5F71D3E80AA@mnot.net>
References: <1444D5E7-DEA7-437C-B12B-6C31FEA563DD@sky.uk> <11f9dfe2-ab05-2227-7643-e53da95ec717@nostrum.com> <18798.1566571840@dooku.sandelman.ca> <a2593a9b-a131-ac49-a286-642ba6cdc19c@nic.cz> <15520.1566839640@localhost> <F28F71C0-1728-43EF-9EDA-1F1A70800AFA@fugue.com> <1098628263.7014.1566896822696@appsuite-gw2.open-xchange.com> <3B94868F-435F-4C8F-986D-C5F71D3E80AA@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.2-Rev11
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/E2qfEa0JgEmTiLEQFGxvdb-zlpo>
X-Mailman-Approved-At: Thu, 29 Aug 2019 08:21:07 -0700
Subject: Re: [Add] Communicating DNS blocks (was Re: A thought -- Move the policy decisions outside the application.)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 09:40:03 -0000
> Il 28 agosto 2019 03:26 Mark Nottingham <mnot@mnot.net> ha scritto: > > Similar things have been proposed in the past, at other layers; e.g., > https://www.ietf.org/archive/id/draft-nottingham-proxy-explanation-00.txt > > There's a bigger issue than figuring out how to make it backwards-compatible. Without trying to speak for them, the impression I got is that the browser vendors are less than enthusiastic about exposing untrusted content to users, even if it's heavily constrained (as is the case in the proposal above), as it's a potential attack vector. Thanks for sharing this. It prompted some thoughts on what kind of untrusted content could come this way, as I assume that we could authenticate the resolver and keep the channel secure, and even require EV certificates so that the user could know who is sending the message on the landing page. I do see risks if you are using an untrusted resolver: for example, the resolver could reply to a request for www.mybank.example with a "blocked" error and a redirection to a phishing page. However, how is this different from an untrusted resolver today, without those extensions? It could already reply with the IP of a phishing page and even claim that it's been DNSSEC-validated. On the other hand, this kind of enhanced user experience could also be a driver for resolvers to adopt encryption and authentication and get into a "trusted resolver" status (however ascertained). -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com | +39 348 7015022 Office @ Via Treviso 12, 10144 Torino, Italy
- [Add] A thought -- Move the policy decisions outs… Winfield, Alister
- Re: [Add] A thought -- Move the policy decisions … Adam Roach
- Re: [Add] A thought -- Move the policy decisions … Tommy Jensen
- Re: [Add] A thought -- Move the policy decisions … Adam Roach
- Re: [Add] A thought -- Move the policy decisions … Rob Sayre
- Re: [Add] A thought -- Move the policy decisions … Vittorio Bertola
- Re: [Add] A thought -- Move the policy decisions … Michael Richardson
- Re: [Add] A thought -- Move the policy decisions … Vladimír Čunát
- Re: [Add] A thought -- Move the policy decisions … Michael Richardson
- Re: [Add] A thought -- Move the policy decisions … Adam Roach
- Re: [Add] A thought -- Move the policy decisions … Michael Richardson
- Re: [Add] A thought -- Move the policy decisions … Ted Lemon
- Re: [Add] A thought -- Move the policy decisions … Ted Lemon
- Re: [Add] A thought -- Move the policy decisions … Paul Wouters
- [Add] Communicating DNS blocks (was Re: A thought… Vittorio Bertola
- Re: [Add] A thought -- Move the policy decisions … Vittorio Bertola
- Re: [Add] A thought -- Move the policy decisions … Michael Richardson
- Re: [Add] A thought -- Move the policy decisions … Adam Roach
- Re: [Add] A thought -- Move the policy decisions … Michael Richardson
- Re: [Add] Communicating DNS blocks (was Re: A tho… Mark Nottingham
- Re: [Add] Communicating DNS blocks (was Re: A tho… Vittorio Bertola
- Re: [Add] policy and law, A thought -- Move the p… John Levine
- Re: [Add] policy and law, A thought -- Move the p… Ted Hardie
- Re: [Add] policy and law, A thought -- Move the p… Stephen Farrell
- Re: [Add] policy and law, A thought -- Move the p… Joseph Lorenzo Hall
- Re: [Add] policy and law, A thought -- Move the p… Vittorio Bertola
- Re: [Add] Communicating DNS blocks (was Re: A tho… Bret Jordan
- Re: [Add] policy and law, A thought -- Move the p… Joseph Lorenzo Hall
- Re: [Add] policy and law, A thought -- Move the p… Brian Dickson
- Re: [Add] policy and law, A thought -- Move the p… Rob Sayre
- Re: [Add] policy and law, A thought -- Move the p… Rob Sayre
- Re: [Add] policy and law, A thought -- Move the p… Ray Bellis
- Re: [Add] policy and law, A thought -- Move the p… STARK, BARBARA H
- Re: [Add] policy and law, A thought -- Move the p… Brian Dickson
- Re: [Add] policy and law, A thought -- Move the p… Vittorio Bertola
- Re: [Add] policy and law, A thought -- Move the p… John Levine
- Re: [Add] policy and law, A thought -- Move the p… Rob Sayre
- Re: [Add] policy and law, A thought -- Move the p… Patrik Fältström