Re: [Add] What to do in this potential working group
David Conrad <drc@virtualized.org> Wed, 21 August 2019 21:28 UTC
Return-Path: <drc@virtualized.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF3F1200B6 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dLYx24a7rQz for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:28:44 -0700 (PDT)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A1C120170 for <add@ietf.org>; Wed, 21 Aug 2019 14:28:44 -0700 (PDT)
Received: by mail-pl1-x634.google.com with SMTP id z3so2052811pln.6 for <add@ietf.org>; Wed, 21 Aug 2019 14:28:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=2AyTCf1fL/bBwGUw0RmEM79uYvGLYaQQ4gAoidU7/NE=; b=jLPNocjkTsS70o3oU8WmtOMA3cdAKAsDuzYvEngKqv9b00B4dpERZabAuMOiC3tIGH Co9wsebM7sXW/2K76K004Ac5pOTfYHZfvFY1PwqNkCqeYsXzTx4+F16nsCYsIxfWCaii hafntVZqRELnJuvjbdZZ3sVQSYCH4tCGNfR1FMWEFzyVdGfPrlax87iHCtKP0QOzgpgd 8v/h7VwnwmyDQ97dSO9tZOIu3XkIELlF9nzcXGf3WwdPjHFiUb8f+vVUGNIG5ZUE3BEr wLSSUeBaOdBd4zCtjxELD02+1/zYPyHQIpRi/sZER1P7jtklPfw8XcmggmVemrfNWBCq KugQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=2AyTCf1fL/bBwGUw0RmEM79uYvGLYaQQ4gAoidU7/NE=; b=gqzEB36adAfcdvo+GTvd6xcVk81hFfgQS452ZBkprHhX7smW9tbQ9NSl3lK1E4kpvO gc9C1JbHsUt6Wy0YADq4miExDgzzhzwZzJybUOf6K4pTiDmqq7vZYs5BGuJhRrVQtJYK SK3Born3DXhRdrM/tVuZbqOo9nixDGrXRqlmU5PvoLI7fyALDiGgCGEDiWIdpYioBRe3 eswkMFjJFVF2FxXrYViT9MAYIGPJ6pyKKwaPkYvIFAkRCFb/B44hfzhBH66HCzx/zUYq ELWTxhuIdgBlGOYs+Asu41IdIn3t6UwO4J6JGpHHU6JFuvTwX3eL9ycqMRYRBRfXLYzn plcw==
X-Gm-Message-State: APjAAAUs3y11Y7qNlvLW54X5VS8a61yLbx0iIYe7stpp8wT33Hyfop2E R3oJ6v9J343DhONxhsezzOAS77pVnAk=
X-Google-Smtp-Source: APXvYqz4Srg/VPapgAqhUxMpd3lRUX3dP0ehQCu57kJ0xRMFPdYHP2dZP7JSjPuobwOQnyKRw50YmA==
X-Received: by 2002:a17:902:8a81:: with SMTP id p1mr34836853plo.71.1566422923546; Wed, 21 Aug 2019 14:28:43 -0700 (PDT)
Received: from ?IPv6:2620::2d0:110:a001:9cbc:6eb4:c2df? ([2620:0:2d0:110:a001:9cbc:6eb4:c2df]) by smtp.gmail.com with ESMTPSA id a10sm34628303pfl.159.2019.08.21.14.28.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2019 14:28:42 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_0644262A-E2B0-45E0-AE85-D62F682F75D0"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie>
Date: Wed, 21 Aug 2019 14:28:41 -0700
Cc: ADD Mailing list <add@ietf.org>
X-Mailbutler-Message-Id: EC50B568-694B-44B4-82FF-EB8FC990666F
Message-Id: <3F133840-DE9E-4B8B-84F8-30CF458003B6@virtualized.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/IlaU1JjMvyVoPYRDp_DbZACKpD8>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 21:28:47 -0000
Stephen, On Aug 21, 2019, at 2:13 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > DNSSEC provides origin-authentication and data integrity > for DNS answers between the signer and validator. > > If the client validates the TLS server cert, DoH provides > TLS-server authentication, confidentiality and data > integrity between the TLS client and server. "TLS client and server" != "signer and validator” > So yep, both give data integrity, just differently. No. What you say would be true ONLY if the DoH client connects to the authoritative source of the data. Which, of course, it doesn’t. Again, what would happen if the TRR you contracted with is subject to a court order under seal that requires that TRR to modify responses for particular domains? How would you know? Regards, -drc
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett