IETF Logo Mail Archive

Re: [Add] draft-grover-add-policy-detection-00

Eric Rescorla <ekr@rtfm.com> Mon, 15 July 2019 00:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81ABE12009E for <add@ietfa.amsl.com>; Sun, 14 Jul 2019 17:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzjbk6YbZY4n for <add@ietfa.amsl.com>; Sun, 14 Jul 2019 17:31:09 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE1112001A for <add@ietf.org>; Sun, 14 Jul 2019 17:31:09 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id p197so9758376lfa.2 for <add@ietf.org>; Sun, 14 Jul 2019 17:31:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qx/eAnX7I7Z7vJv3awukIFMtNrOuXfK33G7JrIl8ItU=; b=noJF5lUlcndP+joAemsd7QrFrhP7yLrPkYFgkIMVPk+nfGE6ZZi7/U2Ulg4OugasU1 P8VdAYeVmK3HzZUK6RT7eWaQdtn6TmfAFMwc5H0FYAiEQNITBEwvW1D2hbXeNflMEOxp rL1CMlMhxB4pzfzJaFOXsxA27g9KdNynhu2F8eeHHLo8iCU597UW+m+4yZU/RlkpNjqY cGG56JkIrP6g+BRBe0RB1PseH1q4jAcU9kM4VRmdKprKg8GNDuzh8XytobYEQBSupDDK L/FsNuyee2WPkMOMingZceypA8TiAMzn2B3yKsBzlYP8jjTU5Z8SiToSTbr90JahSC6q VVpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qx/eAnX7I7Z7vJv3awukIFMtNrOuXfK33G7JrIl8ItU=; b=bnO1D3QwcirQPbYo7arIsXzNsxY0aLCnECfDEUri+F/0iCQmqaZjMVRYF3uNG6L4F3 JNalLp3fYQZmqiMASKq5ZLVSD1XSxDf58Tiba4DRTN8vWdxm09PaWoVEvTohjpsHqxuC G6zaX24WwXxzrfImdanEmsIxksbuVYspcSWoN9WRzOXf1wfrz4sspYsVlOfVlCPcdaUZ LGPghziDUeFa4IpDSucV17bou7PWSloi0HVEylkSHHRDtPwYAKjNgoFDyHvJWT5vXdTE JuQHvSUjDgbIRcOMADrOOdnusEofpDqYZwvnLNy8ICHPPjBHxQaUtRRbP93IcqhWkCLY tQoQ==
X-Gm-Message-State: APjAAAXZbQz76rg+vNzZOCmPd4BRCkwQs9yjMC7sX6Ik/ximDVknJeFK X/kvcPGCiUl0rwzDSwf9zn073NgR1+lEayfi6fI=
X-Google-Smtp-Source: APXvYqxsVNFxhu6YMK+DLAXVnzBfvI2ngeYmeOdSZ8lsAeVsu9bTuNy4qVKDYzGCHX7I/pTF9Bpg4XUwUSd7mHmpQcE=
X-Received: by 2002:ac2:51a3:: with SMTP id f3mr9526393lfk.94.1563150667699; Sun, 14 Jul 2019 17:31:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <D9B35B69-3C20-4275-ADCA-D990FC968022@groveronline.com> <CAChr6SzmVZNE-+kpSALpWEkPhdS8tN_6KhUxCzXETHro7nsH7A@mail.gmail.com>
In-Reply-To: <CAChr6SzmVZNE-+kpSALpWEkPhdS8tN_6KhUxCzXETHro7nsH7A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 14 Jul 2019 17:30:31 -0700
Message-ID: <CABcZeBMJMMcCaqdq29gFdYYnaTE48XF8_gf8EbvKfJx2AiSzow@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Andy Grover <andy@groveronline.com>, add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000476aaf058dad602e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/TuRHIR-UX40wMjC0q29yGYOzN08>
Subject: Re: [Add] draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 00:31:11 -0000

On Sun, Jul 14, 2019 at 5:18 PM Rob Sayre <sayrer@gmail.com> wrote:

> It's right there in BCP 61:
> "However security must be a MUST IMPLEMENT so that end users will have the
> option of enabling it when the situation calls for it."
>
> It seems like this proposal standardizes automatically disabling security.
> Maybe we could generalize it.
>

Let's take a step back here. First, this document doesn't violate the
section of BCP 61 you are quoting, because that text doesn't require that
security be on by default. Second, there's plenty of precedent for
opportunistic encryption in IETF; see, for instance:
https://tools.ietf.org/rfcmarkup?doc=7435. Of course, this doesn't mean
that this document is necessarily a good idea, but to the best of my
knowledge it's not prohibited by any RFC.

The question of whether it's a good idea is rather more complicated: at a
high level we have a situation where nearly all DNS is unencrypted and sent
to a resolver which is insecurely configured. Some of those resolvers do
policy enforcement and in some of those cases, the user wanted that kind of
policy enforcement, so just switching over to a secure Trusted Recursive
Resolver potentially violates POLA, and it would be nice to be able to
detect those cases and do something [0]. Now, of course, that signal itself
is insecure, so this is pretty far from ideal, but the whole situation is
pretty messy, so it seems worthwhile to explore the space a bit.



> Let's add some domains to the draft that switch HTTPS to HTTP, and switch
> SSH to telnet.
>

This sort of rhetoric doesn't seem particularly helpful.

-Ekr

[0] And this draft doesn't say what "something" is, so, how good an idea
this is partly depends on what that is.


>
> thanks,
> Rob
>
> On Sun, Jul 14, 2019 at 5:12 PM Andy Grover <andy@groveronline.com> wrote:
>
>> I don't follow, in what way?
>>
>> On July 13, 2019 3:48:05 PM PDT, Rob Sayre <sayrer@gmail.com> wrote:
>>>
>>> This draft doesn't seem to conform to the requirements laid out in BCP
>>> 61.
>>>
>>> https://tools.ietf.org/html/bcp61
>>>
>>> thanks,
>>> Rob
>>>
>> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email