Re: [Add] [Ext] Updated charter proposal for ADD
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 15 January 2020 20:49 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE7B12089C for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 12:49:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2IDAW9K1hgCl for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 12:49:42 -0800 (PST)
Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC9D120288 for <add@ietf.org>; Wed, 15 Jan 2020 12:49:41 -0800 (PST)
Received: by mail-vk1-xa32.google.com with SMTP id t129so5118816vkg.6 for <add@ietf.org>; Wed, 15 Jan 2020 12:49:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TGACBXAbFTJ+/tGX+m9yhUd9i+//C9g/pVFuTpaHFBc=; b=Fft3ztu1QSyfUTZoXIP+bJxEnruB8dSvdxFpp+/ijIL5IV8Q8hew30WtMXX5CJlxdL 61mhrJ2G7HeKtvLqkxOZ3FNV80K8WALlg9SHGylHlQ1iWWnHgVA3xxLz3MukAcRQCDep mQmzLy4BafJCGMeZMwcD5X6Dhspr1Tu9yJBM3jsciNUFKkbCr8DcaKtSHDrjTL/oAGW5 IaLyMERLn9D7cEycaXzQMfLrfNOitWjIzN+4LAC92MBiVKXob1qIS/apRqJdnKuOd8yz T9WERTUPshlsGvYR4xg2qJ/eGj9ce1I66fWrzI2HyAXd9XFHWRlROXB75qFbORxFwZ6o FtFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TGACBXAbFTJ+/tGX+m9yhUd9i+//C9g/pVFuTpaHFBc=; b=dYmpdFnPEizP6nPZ+JavGrxvLIg5PMqtysDbV9ZOYRwHGjitF5CesD/XgJMa9EdmsK hgAio1YblWokooMoOdhmw6em11ZyqK9SUDtKga0qwcPu2Y51bLZxuSGfnf7SsSTe0JP0 1g1/htZgW5kGm5hj6HqXOGwGxdtPvKmxRhXI1wn5BICM5g1uRPG6/CM7xouk0uEcdUhD cvyJD7GyB1qV4NbRDEDTKFxzb6Ol0laWoEusYjWQAXgEmdjwdFq/n2Ck9JV6V1cnT2BS C76Q5QZpMS4uQp1eWXkME6O9NO4mSM3A955Tfq7jPgZzNag9JEK4qKTr8vkzqrm3DjOx gN2A==
X-Gm-Message-State: APjAAAU1PEZPz5BexN0vbkt1frF40lDP8kMPKXEnFy2Q4mnEfeCMOKbH I+cSVI41xrenHDho7STBIWP/BMRH/30yUrrP6fs=
X-Google-Smtp-Source: APXvYqxPR8AajHF1YlXqQ067Xgblfe8sj258gqRvkLzzZXkDfDdpgEpokVKyj5NtVzQfzlqJkom6Vo4Ho2BUO3z6TgM=
X-Received: by 2002:a1f:73c6:: with SMTP id o189mr16124505vkc.60.1579121380863; Wed, 15 Jan 2020 12:49:40 -0800 (PST)
MIME-Version: 1.0
References: <236B0A34-8C7F-49D2-8075-5AF5AC35BDFB@apple.com> <AD6E599F-96E8-44FC-8A05-8BFD2F659129@icann.org> <66C24EE6-5C7B-4788-AE26-06B900915010@fugue.com> <CAChr6SzcuomCFisPhLHYfQGzbR2=yYhtsGHV8+kd5gCdJn+ABA@mail.gmail.com> <LO2P265MB05730A944404EFD86DF99E8CC2370@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CAChr6SzygCAMGUXmOL9Hb_w5CgjeFK30KodystPYPt4jD6Fkeg@mail.gmail.com>
In-Reply-To: <CAChr6SzygCAMGUXmOL9Hb_w5CgjeFK30KodystPYPt4jD6Fkeg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 15 Jan 2020 12:49:29 -0800
Message-ID: <CAH1iCipRJL1KLnmWDu0cim8DTusEqsDBsc-Rj7BsJ4Nau2K3WQ@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f6b673059c33d8c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/GiHkCRd-J7D_sZac87By_v0UOoE>
Subject: Re: [Add] [Ext] Updated charter proposal for ADD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 20:49:43 -0000
On Wed, Jan 15, 2020 at 12:03 PM Rob Sayre <sayrer@gmail.com> wrote: > On Wed, Jan 15, 2020 at 11:47 AM Andrew Campling > <andrew.campling@419.consulting> wrote: > >> On Wed, Jan 15, 2020 at 19:24 Rob Sayre <sayrer@gmail.com> wrote: >> >> > Right now, my DNS server is 192.168.86.1, and encrypted DNS seems >> designed to bypass it. >> > > Well, a lot of networking products (both consumer and corporate) have an > unencrypted DNS server on a private IP. > > I was wondering how the certificates would be constructed if they wished > to offer DoH or DoT. I know public services are able to get certificates > with SAN[1] extensions containing public IPs (e.g. the Cloudflare cert for > 1.1.1.1). That doesn't seem to make sense for private IPs, so I'm wondering > how private networks will offer encrypted DNS, and whether the debate > around the security considerations is important. > > Certificates can be self-signed. Self-signed certificates' fingerprints can be published in any corresponding DNS zone as TLSA records with the right subtype (2 or 3) that does not require PKI. Names for the DNS zones, certificates, and resolvers' host names can be from private-use portions of the namespace (such as has been proposed for use in the reserved portion of ISO 2-letter codes, like .zz). The client security can then be reduced to learning or distributing DNSSEC trust anchors for resolvers, including possibly doing "trust on first use" methods and well-known names. I.e. client queries well-known name for a pointer to the resolver's own name, along with a corresponding trust anchor for that name (name of a DNS zone). Once the trust anchor is available, everything else can bootstrap from that, including TLSA records (which give TLS fingerprints for certificates, which would be self-signed and validated without PKI, using the TLSA mechanisms.) I'm doing a proof of concept on this as we speak. Brian
- [Add] Updated charter proposal for ADD Tommy Pauly
- Re: [Add] Updated charter proposal for ADD Neil Cook
- Re: [Add] Updated charter proposal for ADD Paul Adair
- Re: [Add] Updated charter proposal for ADD Diego R. Lopez
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] Updated charter proposal for ADD Livingood, Jason
- Re: [Add] [Ext] Updated charter proposal for ADD Robert Mortimer
- Re: [Add] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Dave Lawrence
- Re: [Add] Updated charter proposal for ADD Jari Arkko
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Alissa Cooper
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Barry Leiba
- Re: [Add] Updated charter proposal for ADD chris.box
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD STARK, BARBARA H
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Stephen Farrell
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Martin Thomson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] Updated charter proposal for ADD nigel.tedeschi
- Re: [Add] Updated charter proposal for ADD Smith, Kevin, Vodafone Group
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] Updated charter proposal for ADD Vittorio Bertola
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Ted Lemon
- Re: [Add] Food for thought? tirumal reddy
- Re: [Add] Food for thought? Ted Lemon