Re: [Add] What to do in this potential working group
Ted Hardie <ted.ietf@gmail.com> Wed, 21 August 2019 18:11 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0AA0120DFA for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rsrI4zcJLKAL for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:11:39 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF911120DE4 for <add@ietf.org>; Wed, 21 Aug 2019 11:11:39 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id j5so6437951ioj.8 for <add@ietf.org>; Wed, 21 Aug 2019 11:11:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DZiD/P5JBTbLMI4X3crrdtM268caiEMYP2dwmW8e7qg=; b=OgGaHuab2n7DrR13KUEEhL/PHHQnpAp/4MdYR5QAwnhDy/hNmA/znnPaNFMvlvpKVa vY3mps/sJ21IKcNNdJJpIEDFvaVu1FWoUipqxOXLKO8JarbNkL0jNe3LNhDyLp5F1m1P PYTkKaju7xzOjC0b5F+CnVm5i5obEmEgrHhvtvz64CsW8d4Vz3f3OcguY+lBS5Gh7/CJ PhBJ4cEH3hNIhwgBdFVyxGRcaDPT9QsrJrtEiT9iozBxO8hlQgBtOX7SmWG3IYUwaz2u T7x58iEu5iw36KSRbpgOvC/63jP5teHGihSWHNFWaA6CXFnhP4siYM6IaETXUmHctj8D aA+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DZiD/P5JBTbLMI4X3crrdtM268caiEMYP2dwmW8e7qg=; b=jXaikxpHNRyLV3XP0F0fH27t8Vtf+SY6lsGoc4LUBU6g1xCtQZ7NsrMGLS0sLTaah+ hw/bm6S0s471h9NUeT7x7x1FCjmDM3AGHq7Ha9uvWC1B4CpkjoMDKU19INGGRri8vCjD 4qj5k5BsiGq+7FloM5V67sDkFQas3JAjIBjHU3YlHNCl2uj7jCrHQnUmGwD8dBuISuEm /GRJSKzvlNipscv1wA4Kxw0Y67pPFYjiSceqli5ruerGks1fXdnmZs/J/LZH7mAB9znL zVUGGyADMANkNeAPRnwxnUyaRlQq/9y4/hYmlzyiwetwgnl9h0fgQHycLF33ofy1JFrk 3vpw==
X-Gm-Message-State: APjAAAUlXBXPBFtYVkC3utYQJMQ/m+RkoRJYUFRg0uacxGMaHCiBH9E2 jXxjglWOM3xaI0aPY897Bk4iEBln1kjAJiZoOHU=
X-Google-Smtp-Source: APXvYqw2yuvE0uMNslxGmFIwVNe2TVo4NIIO8q4W46Kpk2RKqUpc56Mte1X08pUKlOf03NtgaeKpG23sKlKfBYwHBzU=
X-Received: by 2002:a02:cc6c:: with SMTP id j12mr11103601jaq.29.1566411098855; Wed, 21 Aug 2019 11:11:38 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org>
In-Reply-To: <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 21 Aug 2019 11:11:11 -0700
Message-ID: <CA+9kkMDJmvRd7d-7iFySfrgkCP+sfj7vYwLAOFFRxT0vpFczXA@mail.gmail.com>
To: David Conrad <drc@virtualized.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001e9eb70590a481d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/_ZmI9wvmM4aVrSnKMhDTpBinZno>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 18:11:42 -0000
Hi David, On Wed, Aug 21, 2019 at 10:59 AM David Conrad <drc@virtualized.org> wrote: > Ted, > > Not Jari, but wanted to point out one thing: > > On Aug 21, 2019, at 10:36 AM, Ted Hardie <ted.ietf@gmail.com> wrote: > > The second threat model is that a resolver may provide an untrustworthy > answer (e.g. captive portal). The use of DoT and DoH can help with this if > the client device, application, or user selects a trustworthy resolver** > and uses the TLS certificate to verify they have reached that service. > > > You probably need to define “trustworthy answer” here. > I tried to finesse that saying by saying it is up to the client to decide this. If there is an objective reality to "trustyworthy answer", though, I think "true to the data supplied by the zone maintainer" may still be it. I'm not sure there is, though, if you have any belief in the use of the DNS as a control surface. In the case of household using a DNS filtering service, the answer may be that the "trustyworthy" resolver provides the data supplied by the zone maintainer after the application of the filters to which the subscriber has agreed. > Traditionally, a “trustworthy answer” was the data originally supplied by > the zone owner of the domain being looked up. DNSSEC was created to ensure > this. However, network operators (e.g., CDNs) playing “stupid DNS tricks”, > resolver operators providing filtering, etc. may have changed what is a > “trustworthy answer” over the years. > > With that said, and assuming you’re using the traditional interpretation > of “trustworthy answer”, then DoT/DoH do not ensure a “trustworthy answer.” > DoT/DoH provide transport protection. The only way to truly ensure a > trustworthy answer is to protect the actual answer. Which is what DNSSEC > does. > > Evidently I was unclear, sorry. It doesn't assure you that the answer is trustworthy; it can assure you have reached the resolver that you intend. If you trust that resolver (for whatever value of trustworthy you have), that may help. Thanks for pointing out the lack of clarity, Ted (as an individual) > Regards, > -drc > (Speaking only for myself) > >
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett