IETF Logo Mail Archive

Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns

tirumal reddy <kondtir@gmail.com> Thu, 12 May 2022 12:19 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97C9EC14F74D for <add@ietfa.amsl.com>; Thu, 12 May 2022 05:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pWgBxNkI2Oim for <add@ietfa.amsl.com>; Thu, 12 May 2022 05:19:21 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72BCC14F739 for <add@ietf.org>; Thu, 12 May 2022 05:19:21 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id p26so8693214lfh.10 for <add@ietf.org>; Thu, 12 May 2022 05:19:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SKcEizMWV/v21GPD88/uLRb2uVu80xVffgFRimi59jQ=; b=TcS7meOr22mxemvSMgi2eqePTwuKEWDZfAVU9lT59cc7FR7QFnaFFNXxSjTS+ekeGl JzxYIh7VtC4bmRvSrZa5xpENtvguqdpY7sORX8JLDNtvN2csWMW6uFVs7Anjg2yF1DpB 9/0XmzJzFqQWJ5ONFPM9DkdEMGeR6KleDccPZJyOHd88Glg0ReOPZca0oegqc8LJnc0E 8pMMuYufMz5IYIsQ56An2XpO7yr1HsQ9hagcdJUxzZbhn4BcroayXSUgiEfRJ/YyHaRd Nsfx8dl/fPdsRxcNBxB7h/8REcU6dl1n8nwXDS2zopAcfJ55OY7hzVhysg1lXT+83ppi 86Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SKcEizMWV/v21GPD88/uLRb2uVu80xVffgFRimi59jQ=; b=CHjz+xlhyW+NZe0XF9QYx00HA6kfEFHt+XOo8bHXbbrrFzagg/FwPnCWbvY/XBIYEi eNRPJtLGdOApIC+1iS38TkxgsV4/S/90ssAlRHXcXKYqLE/NoXP+y+rxof2U7d3wq2ih HP+NYweLMLPejAT6VPGLCiC1aKVMlcDsRJYaFDTIOen0Fhyuo4n8ambEnTiEqeyi8eyz dvLjjS0AFlahNRzwx0l3hTCH1xUsuPZw1j7PFRK73tHpo/u0lzYyqcmzKF9UsjXjlcvu Jkv4ipAx+ZjLO+SBqlJNZOcD9BfsAb3dnK20ZtWcMO3dI4935Nus0dK5cSOH2+Gjo0CP mBsg==
X-Gm-Message-State: AOAM530A3ZKk+9oIv2k1WPOKX97eczWZqoJCG/iorPEUXaamA+Tozzz9 YjkeSWR8DQL5yIRw1UZmqeUiT7xnb591KiWFZwA=
X-Google-Smtp-Source: ABdhPJx+BnRqmSFfhFVEGO40mmuaaOPqNKcImPA6UtL3Lgio4WjcYz4iy9PlnAt9PSbRjq/Ec77L07QqhnfpMIIlUC4=
X-Received: by 2002:a05:6512:943:b0:475:8e51:1e5e with SMTP id u3-20020a056512094300b004758e511e5emr1050443lft.621.1652357959578; Thu, 12 May 2022 05:19:19 -0700 (PDT)
MIME-Version: 1.0
References: <BYAPR11MB3111FD2D0FF61231304A5F3DEAC29@BYAPR11MB3111.namprd11.prod.outlook.com> <CAHbrMsAcpHFon+JS9jsLdqANt+1FmkA_VDAwW4PSUDMJwtbavA@mail.gmail.com> <14b56185-4fe3-8e4b-adcf-22ddb624329@nohats.ca> <CAHbrMsDywOYmFzhruD4CK=Jze-sDR8ao253kWxR6+FpTpGLmYA@mail.gmail.com> <2cf6eb22-fe45-67af-2373-522ee9aa2ec4@nohats.ca> <CAHbrMsD=92K3SDuUMe5WtzCBfww49ACQuavZThCPT-fPStjzFg@mail.gmail.com> <8cc9dbde-113a-2b40-df47-ccdc12da1bb@nohats.ca>
In-Reply-To: <8cc9dbde-113a-2b40-df47-ccdc12da1bb@nohats.ca>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 12 May 2022 17:49:07 +0530
Message-ID: <CAFpG3gexoVTS9jp_wv+w2KQ_y=T7JNCv7Pt3knCX_WLzsucw9Q@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Ben Schwartz <bemasc@google.com>, "Deen, Glenn" <Glenn_Deen@comcast.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038fcaf05decf91b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/cK8P_Nq_-7XD7DZ31ONmHmH1rLs>
Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 12:19:23 -0000

On Mon, 9 May 2022 at 19:12, Paul Wouters <paul@nohats.ca> wrote:

>
> But we know clients currently do not have, nor apparently have a plan to
> support this security mechanism. And the other other mechanism available
> is "trusting the TRR". I think that makes this documents security
> mechanism too weak to deploy.
>

The draft is relevant if the endpoint is using a resolver (e.g., TRR) not
signaled by the network. If the client is using the network-designated
resolver, the draft is not needed. If the client is using a TRR, the client
will trust it will provide the right replies with/without
split-DNS. Further, most browsers have TRRs pre-configured and the work in
OHAI WG is based on pre-configured partially trusted oblivious proxy.


I don’t see how the proposal of using a pre-configured resolver degrades
the security posture of the endpoint.


-Tiru

v2.23.0 | Report a Bug | By Email