IETF Logo Mail Archive

Re: [Add] publication of DoH Resolver policies

tirumal reddy <kondtir@gmail.com> Wed, 29 May 2019 10:54 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A1B1200C1 for <add@ietfa.amsl.com>; Wed, 29 May 2019 03:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ElaRk_nSwvX for <add@ietfa.amsl.com>; Wed, 29 May 2019 03:54:44 -0700 (PDT)
Received: from mail-it1-x12a.google.com (mail-it1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47DD8120072 for <add@ietf.org>; Wed, 29 May 2019 03:54:44 -0700 (PDT)
Received: by mail-it1-x12a.google.com with SMTP id j17so5172280itk.0 for <add@ietf.org>; Wed, 29 May 2019 03:54:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GUtXNO7ZSlyuoTyIEoO0WCXK0UcPXXYiqRjcjLY/ILs=; b=qp0cvhEfz4iRV+OSHTgAFSxtaufo9l6fO1FT5Q8huwc6ehAqjZLUOUsoqGn2l+FSU1 bpZvv+ZBhW0ZXg1+/2tlztpzqkaX7dHCaQgN+ROhtecHURl/aNdw1zWOEK+peVAuKkE5 MFgiyCwv1GaIJFuCavcKjxGWApXKZVFNGYSDVzkPmNV5LQohtjX8lvaq73KrSjCm4R/F waRAgYbqXNqgA/8dSUsZoE8Pa6Nc3LPYVr2FZEc0iPs33zWqF0kuumNTrOe4ikTWYHvN HGG70CUIJ+fpFplwg7zhYP4oct0LS4UJZvCbrE94dbj3gXnTvXXLu7IOboh1juiEvuPb wmTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GUtXNO7ZSlyuoTyIEoO0WCXK0UcPXXYiqRjcjLY/ILs=; b=uh3l2sF7FGiZGZ1f6WCY5bLO3hqGKGlxdCpSOP88tRpUJWQY2YvjoSIq6Jo3YJ5RJF pCJ07XTBjvZ9s2AOwvZyYAuLiH2PYr1/RIKTWQ3lVK8AM1KSI2xTeYtjPTUscYi5/JSn Vrz4rTUDQmFofZkfJ3SvFEpSsVG+EHoW6DE5xgoYZ92iUJr2d2pnGQ89YIGfURb95kP6 nt/XIkLAK+WvMGeqwZFOSaOo5nq6uYwA+vRQfUP5NEW8aLZcw1XIela1GXDF5i5e9DNF 1a/sWiyaBWi2AU81buch1h1L0FHRYFlwENC1GH9jzyFdTxZwAIeyrA7kcmj290mi5iVe lvbw==
X-Gm-Message-State: APjAAAVmGjqBuLH0Aw9U+yHSma3jf612e9y2I9zXZKjYLkHH9jmYGhx5 wDH+ypEYfLPw3AtW1IHTAry8Xm6aIYkZsBRJyt8=
X-Google-Smtp-Source: APXvYqwdZxxCxCBQ7MUioBKsWsf0RAdd7SwvIslOHWQiGo2W1q/8w6SIFaGOlM0p2SWRp+SY+SwOKz4mmtJi6c6Insg=
X-Received: by 2002:a24:798a:: with SMTP id z132mr6528725itc.101.1559127283518; Wed, 29 May 2019 03:54:43 -0700 (PDT)
MIME-Version: 1.0
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com> <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com> <1DC2682D-1A1F-4B5B-BB49-B2DAAD8E7E7D@sky.uk>
In-Reply-To: <1DC2682D-1A1F-4B5B-BB49-B2DAAD8E7E7D@sky.uk>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 29 May 2019 16:24:30 +0530
Message-ID: <CAFpG3gcdSAguw=UUjQru6mVJKsvoQu_1bY+2ha-KxFK49dyu5w@mail.gmail.com>
To: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e4d14d058a049b10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Tg6QstXkLyXTYeRy0NKylz84D4w>
Subject: Re: [Add] publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 10:54:49 -0000

On Tue, 28 May 2019 at 22:06, Winfield, Alister <Alister.Winfield=
40sky.uk@dmarc.ietf.org> wrote:

> It would be wonderful if every malicious domain was known prior to its
> use, sadly except where a DGA is known that’s not the case. So it can be
> useful to have a little historic information to see the extent of the issue
> once it’s become known.
>

DGA is just one technique, malicious domains like C&C domains can possibly
be identified by inspecting TXT records (used to send commands to the
compromised host), fast flux service network etc.

Cheers,
-Tiru


>
>
> It’s also true that with performance issues unless they are very obvious
> (eg impacting say Facebook, Google, Amazon etc), operators necessarily rely
> on analytics or customers to complain. Given issues can be transient or
> periodic only a historic record can provide insight into the root cause.
>
>
>
> Alister
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of "Livingood, Jason" <
> Jason_Livingood@comcast.com>
> *Date: *Tuesday, 28 May 2019 at 16:43
> *To: *tirumal reddy <kondtir@gmail.com>, Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> First – thanks for the pointer!
>
>
>
> Comment – things like ‘logging’ seem very binary. What about default
> logging = no except if FQDN = malware C&C, in which case yes (to support
> notifying the end user of infection)?
>
>
>
> *From: *Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Date: *Monday, May 27, 2019 at 9:12 AM
> *To: *Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com> wrote:
>
> On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > If the DOH server provided by the network offers the same level of
> privacy preserving data policy as the DOH server pre-configured in the
> browser, Why shouldn't the browser use the network provided DOH server ?
>
> How could the browser tell that both DoH servers have the same policy?
>
>
> How does the browser (or anything else for that matter) know what some
> arbitrary DoH server’s privacy preserving data policy is? Where will this
> be documented and published in a way that a web-based application or the
> end user can understand and then make an informed choice?
>
>
>
>
> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10
> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-dprive-bootstrap-dns-server-03%23section-10&data=02%7C01%7Calister.winfield%40sky.uk%7Cd36e8632ef774a63e75608d6e383483f%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636946550340220810&sdata=8%2Fkda0%2B9qoR%2FljDojoEKu%2FGQpol%2BhJl0PtuIwASKPUY%3D&reserved=0>
> defines a new privacy certificate extension that identifies the privacy
> preserving data policy of the DNS server, it is in a machine-parsable
> format.
>
>
>
>
> Now rinse and repeat that for other server-side policies: data retention,
> GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS
> behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware,
> etc, etc.
>
> Oh, and if some DoH server says “I do QNAME minimisation” (say), does the
> browser or end user simply take that on trust or would they somehow be
> expected to verify that for themselves?
>
>
>
> End user typically does not trust DOH server in a untrusted network (e.g.
> public WiFi network) and may only use the DOH server provided by trusted
> network (e.g. Enterprise, Secure home networks), similar to the way users
> disable VPN connection in specific networks and enable VPN connection by
>
> default in other networks for privacy. In addition, the privacy extension
> includes a URL that points to the security assessment report of the DNS
> server by a third party auditor.
>
>
>
> Cheers,
>
> -Tiru
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky Limited and Sky International AG and are used under
> licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075), Sky Subscribers Services Limited (Registration
> No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or
> indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the
> companies mentioned in this paragraph are incorporated in England and Wales
> and share the same registered office at Grant Way, Isleworth, Middlesex TW7
> 5QD
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email