Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
Paul Vixie <paul@redbarn.org> Fri, 12 March 2021 19:18 UTC
Return-Path: <vixie@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C20CC3A1C2E for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 11:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5cAyUmgPfNNd for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 11:18:39 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 560F43A1C0D for <add@ietf.org>; Fri, 12 Mar 2021 11:18:39 -0800 (PST)
Received: by family.redbarn.org (Postfix, from userid 716) id D03AC7599B; Fri, 12 Mar 2021 19:18:35 +0000 (UTC)
Date: Fri, 12 Mar 2021 19:18:35 +0000
From: Paul Vixie <paul@redbarn.org>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
Message-ID: <20210312191835.rhsyikec46uzmnk4@family.redbarn.org>
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com> <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/eoebg4gtQ5O1RBngOCRwhXIribY>
Subject: Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 19:18:42 -0000
On Fri, Mar 12, 2021 at 11:00:11AM -0800, Tommy Pauly wrote: > > This is clearly a policy prescription, and is out of scope. ... > > Agreed. I think the main issue is that this ends up being an "evil bit". > There's no reason for a client to trust or respect this value, unless they > already have a strong MDM-style relationship, in which case this wouldn't > be needed. i understand why someone working at microsoft or google would confidently assert the above positions, but the rest of the world doesn't work that way. it's not an evil bit. it's a policy expression. as someone who operates and secures managed private networks, the ability to detect noncompliance is vital to _everything else_. therefore the state of compliance must be easily expressed. there are also some non-security benefits, such as configuration management to tell BYOD (who won't be participating in MDM) how to get reliable service. but it's the work flows leading to anomaly detection which provide the strongest motive for being able to express this policy. > I am in favor of letting the network prove authority for private domains, or > even present an identity for itself as the network operator. It's up to the > client to use those or ignore those. a mobile device on a public network probably needs that kind of signaling. any device on a managed private network probably needs different signaling. can we come up with a unified proposal that serves both situations? > The one thing the network could do that might be useful is provide a flag > that it will be actively hostile to any DNS traffic it detects that does not > go to itself, with some reason text. The (minimal) value there is to allow a > client to present a reason for things being broken if the user of the client > device also has a strict policy to not trust this network. not all networks are public, and not all on-path actors are authoritarian governments or surveillance capitalists, and not all devices have users. i'd like to see this discussion move to a broader use case that isn't smartphone centric or web-centric or coffee-shop-wifi centric. -- Paul Vixie
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy