Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Rob Sayre <sayrer@gmail.com> Tue, 16 July 2019 20:02 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC626120096 for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 13:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzWV21sWJZHs for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 13:02:30 -0700 (PDT)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C794C120041 for <add@ietf.org>; Tue, 16 Jul 2019 13:02:30 -0700 (PDT)
Received: by mail-io1-xd43.google.com with SMTP id g20so41962554ioc.12 for <add@ietf.org>; Tue, 16 Jul 2019 13:02:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l2mZgiJfQExL5wAUdH1dghvdI834Gn/Hdxh3lhUOZvs=; b=JZWR9pmwhM2XNfT56AkCIXvqR3u31e8nDnhrhVX6Dl3Q9atVqnWmVKymcqkZJA9+5P Yv5z139bYmKk4PrSt5qV5k0xfSqF/wCJgFCjJL7nysgP6incyWskN9437qQRvcfU2iZR FR/gfIXuQGzXAmB81O5+ZeUfKL0yvya125tYm9ucYgWeeNOWJaE76EoH3KHTHUgZh8BR Zo5kxPMFj6yM5qkCxuKUDzoLdr99G5MCDKnIu3XJvHeF9JYepCTcjpPy+AaEytUANwP6 RinuLLHpqe1DdW0TGnZ1IB0LSTVsv52qJaXTVk0r/JEQ0XKKvwJiyF60MCWC/KCjDNwK d86A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l2mZgiJfQExL5wAUdH1dghvdI834Gn/Hdxh3lhUOZvs=; b=Vxzw7m97bf/+Y3wj8eWXdrr/+phacU0RQYNsYGDPe/THbrDVi0aJiq6aRJqNQw/VAt +RgEkmCM1igrqWnGVEk96UbqfEeA8IZKQ5FuhUsGNG7RKwaRl51ZLXZIsyfNbhZkRElJ svDwOBdbCQA6xDAC0rjcPBTPnw6FJQVFUSPzU6gnlyLG0BWyFWAfkPvObvfOEzpT/G5T Tp6M5MQNrUDlptiFJJU7X7WsAwrAAhjAy/onLAErgVRCNRvCeXoGo3p7tAHLD048a4Iz e75TNVdYvFzbskZT1J2qspFbgNrSYO1lvJ/sVkoBBCfWEGZ0YibkY2Ho45aFeOstips6 0VPQ==
X-Gm-Message-State: APjAAAWoIyXJ+IljIHYwU0I9JHP5sbY5EPSxsg4jijJqhYryvXYbtTUf 4znZngY2oGlWbjcTxgaAcUgDVuww9tFbZCt9IDE=
X-Google-Smtp-Source: APXvYqz5MoHlwpEEovyOQxeRZXXeDYbzHyQSFf973V/b/OTM/7RpGM6sNa4CP4K7vdn+fPL36ir/wZUcgv1BpniH4bM=
X-Received: by 2002:a5e:c00e:: with SMTP id u14mr34180500iol.196.1563307349963; Tue, 16 Jul 2019 13:02:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <CABcZeBMxQgDZJs3BQkb7xiN6Gm=joBqLmTnHCO+TMdKQyUepOg@mail.gmail.com> <CAChr6SxN+72tY6_6tw-TeBWeYh4XQr-VRip_2LQh3Mnsk85GPw@mail.gmail.com> <CABcZeBPNevTZDXXXuRS87+YpZ8xY+Y79inW2x0AmPL2Hd9xNmQ@mail.gmail.com>
In-Reply-To: <CABcZeBPNevTZDXXXuRS87+YpZ8xY+Y79inW2x0AmPL2Hd9xNmQ@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 16 Jul 2019 13:02:18 -0700
Message-ID: <CAChr6SwYv66zuxCQv0FOjuqqsLxmVL++bK37x9G1S24XUKVgYg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Alec Muffett <alec.muffett@gmail.com>, add@ietf.org, "Dixon, Hugh" <Hugh.Dixon@sky.uk>
Content-Type: multipart/alternative; boundary="00000000000044fca2058dd1db04"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hd7rJ5ZvlnKoQ1ysuiMAcLIWJAw>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 20:02:33 -0000
On Tue, Jul 16, 2019 at 12:53 PM Eric Rescorla <ekr@rtfm.com> wrote: > > Taking a TRR-style system out of the equation for a moment. Suppose that > what I want is for all devices on my network to use a filtering resolver. I > don't expect any evasion because they're all my devices, it's just a matter > of convenience to centrally configure it. So what I do here is I configure > my DHCP server to provide the IP address of that resolver. Now, those > devices do unencrypted DNS because that's what everyone does. Now, suppose > that resolver starts offering DoT. How do my devices learn that > information? The resolver could tell them over DNS but then we have a > straightforward downgrade attack from anyone on the network. Do you agree > with this so far? Do you have a proposed solution? > In fairness, I'm not sure I quite follow. But, if I worked at a browser vendor, I would be worried about DoH rollout too. I think I'd gradually ratchet up the security signals in the location bar with the end result of marking sites insecure if their IP was fetched over DNS in the clear. This is distinct from choosing a DNS vendor. thanks, Rob
- [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
- Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
- Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- [Add] Firefox DoH behaviour Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
- Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
- Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason