Re: [Add] What to do in this potential working group
Ted Hardie <ted.ietf@gmail.com> Wed, 21 August 2019 17:37 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CFE0120D8B for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 10:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ok9giolIGXTX for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 10:37:05 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65A21120D87 for <add@ietf.org>; Wed, 21 Aug 2019 10:37:05 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id t6so6237553ios.7 for <add@ietf.org>; Wed, 21 Aug 2019 10:37:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CHrKloXMIS8nIXHOKcaLNjoasN7sqGuZTNc6ipZhB8A=; b=chaQG77k0AixouhDoCB2tp630gZU2DWFeEkIn2FlublxL2olo5hW0jtLKHsF5FgehO +mV8c8r6LHX9Wdi0cpY3dsAoe+rA2UIqYEuAeCcCXOUYT4JSpOFKZcg3Hwa/s+WsNK9j tokH7yOvcuQJLwouTV0HrWkaXexIkckUSkD3S+ytcGvLH93XBgK8ErgUkB2jE50LURmS iC+QFhw8HgaDT9UAM8XRo1qKJotI6dxHxqLcY3knku9qRaoPOi8kY3X+SdWB59cdTnIX dqLVF2nAYmHsfrXlQCRm73p840ixxA6dweklFDMPHbKXJEQMcVu3TTsejcPWMQIpRlpV xVTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CHrKloXMIS8nIXHOKcaLNjoasN7sqGuZTNc6ipZhB8A=; b=cPqXBmL0f010YPcpn7X/EEwvuEmaQ6kvYqH0DTvf3TBD5hcJ4npExzRdN1YlD4oZbO ycodwfriCAnTMsGc5ioQXzVwflkdjOBxWe9rLheRRxEKpLmX4COsQWc7meeAF06TOgsW xfW/F98NXd8MfpBtcAFALHkz30EVYJWD7YMS2RGe71MaoheyP/RxUFjoiG7ODIBQqjma YzcftyRRo5yi5DIo6uqv91V8uZWWugBXtdLjJmfAf4h9vkF8tU2qNPFHlYnd2AuoUQw5 Aprwd8C8ss3wbMiaNB+9Z+nC6m/7fqsqfoxr3uraDMmE7obCNWLcRXxyzdEtzTZc75tn nYoA==
X-Gm-Message-State: APjAAAWRu844Sp3j7yKz9cF63pluGfKvqy8rKbHxNkN6kT/Fm2qlMm8A Ltocuibc9YzBKDvLReeM7Vwtdb5DEmx6jJ3HlKoPrg==
X-Google-Smtp-Source: APXvYqwgdYbaO0hyWHqQ8+9tjg++neYmlpRfVOf/iBHEZCoqG9V9hl1vm9R/glVSoSLbSMF3yRjPQFNC2md07SRb9/E=
X-Received: by 2002:a5e:c911:: with SMTP id z17mr10439367iol.119.1566409024254; Wed, 21 Aug 2019 10:37:04 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net>
In-Reply-To: <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 21 Aug 2019 10:36:38 -0700
Message-ID: <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com>
To: Jari Arkko <jari.arkko@piuha.net>
Cc: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000076bb8b0590a405a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gkOEB8XOq0IO_-RmX6tDddLLHHA>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 17:37:07 -0000
Hi Jari, I'd like to slightly re-cast your point and see if you still agree. If so, I think I understand better what the working group might do. If not, the discussion may help me personally understand your point. I think there are several possible threat models here. The basic threat model that DoT and DoH respond to is lack of confidentiality from observers on the path. That is addressed if the selected resolver implements DoT or DoH and is reachable to the client.* The second threat model is that a resolver may provide an untrustworthy answer (e.g. captive portal). The use of DoT and DoH can help with this if the client device, application, or user selects a trustworthy resolver** and uses the TLS certificate to verify they have reached that service. The third threat model is that the use of a single large common recursive resolver mitigates against attacks which track resolution events at the authoritative servers (since there are common cached replies), but results in that large common recursive becoming an attractive target for unsavory business practices, court orders, and infiltration attacks. Because of browser fingerprinting techniques the available information may be larger for DoH than it would be for other clients. Your concern is that using DoH as a response to the first and second attacks is increasing the risks related to the third. Is that approximately correct? If so, I think there are practices that we might develop and recommend (e.g. selectively sending queries to different trusted resolvers) and some of those may also touch on the split DNS issue. My modest experience in this realm suggests, though, that experiments are the only thing that would tell you the impact of those practices on latency, correctness, and leakage. So I'd want some indication that folks are willing to run those experiments before taking on that work. regards, Ted (as an individual) *DoH was suggested in part because DoT was commonly getting blocked; I don't have fresh data, though, on whether this is still the case. **For whatever value of trustworthy is assigned; this point doesn't rely on a definition of that being common. On Wed, Aug 21, 2019 at 3:55 AM Jari Arkko <jari.arkko@piuha.net> wrote: > Ekr, > > I fully realise that there will be differences of viewpoints when it comes > to the trustworthiness of individual DNS service providers. > > But I was trying to make a different point. While we may disagree which > provider I’d like to use for the DNS service, I think it would be quite > reasonable for us to agree that if all of us put our all our queries in one > place (whatever that is) that this causes severe problems: > > - That place becomes immensely valuable from a commercial data mining > perspective. There’s a risk that it will at least at some point be used for > data mining, despite whatever the intentions of the people who set this > system up now is. > > - That place becomes immensely interesting to for governments to tap. > There’s a risk that this tapping is either already happening or will be > happening going forward, despite best intentions of the people who set it > up or who manage it. > > - That places becomes critical infrastructure and a weak point that we do > not need in the Internet. > > As a result, I would like to suggest that the IETF actually concludes the > above and recommends against this practice. > > For whatever it is worth, I can understand some motivations for doing > something like this e.g. in browsers. Some good reasons and potentially > also some not so good reasons. But even with that background, it is > difficult for me to imagine a worse act for the Internet than making > browsers call home for every action of the user. The privacy impacts for > the users are unimaginably bad. > > A few years ago we realised that surveillance organisations were looking > at people's traffic, and we managed to change the Internet to protect this > traffic with cryptographic means. I think it is to think about the next > step, and ensure that we don’t create an Internet architecture that puts > everyone’s data at central location. > > Obviously, encrypted DNS is still hugely important, as are global DNS > services. However, the deployment model of using one (or a small number of) > providers is just wrong. That would be fixable. > > Jari > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett