Re: [Add] What to do in this potential working group
Ted Hardie <ted.ietf@gmail.com> Wed, 21 August 2019 20:11 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F8F12011C for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 13:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id boCJmmsX_eoL for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 13:11:00 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DD451201A3 for <add@ietf.org>; Wed, 21 Aug 2019 13:11:00 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id q22so7233985iog.4 for <add@ietf.org>; Wed, 21 Aug 2019 13:11:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sQhddgUZy7O3bpeXe4AUrFMscCEymur2B683w0SJkfQ=; b=Ai8D+WkZhJT226rqi3OFmuMF/2ZM1fjrMduRgQfUqcny5Ro5wGedWddxvb6ZRA+tjN ZQPN642iM3etN8Z489LXeUYdskn8EHBVNYZNRzIHSe9HdqkYlRfwBoAiqxLwqRXGMjiP qSAeTbpX/ry2ef9ujFmPxRppugHq7QK3wQB3TyN4/hhIJINN67PSEs84yptk/qlrD3jO rwJyDuwYs2zg1U/XgaB8Upkiwl6j7wJdf390+du1QbG/MHF2FzZEOyGShsEs2cPgN4o/ d3nIiu6i6ZioqmjRCEPYEoAxsDERF8J2uvz1n+uS9ZtSFPl6kQqLSvBcpelDJ6o+DgFX 3lLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sQhddgUZy7O3bpeXe4AUrFMscCEymur2B683w0SJkfQ=; b=GxjeBUyeGn05UN7nccBrHrVvk5dsnrLgv9p6GLnCC6HyQQ4voakcDK3Fc+Ln6joc5o Dfm4qkg5EQO21b5kA4vmV6m9zhoX5GMIvWHQzAoiqnaHbx7KSL6MeEQ3JKIFyPedCf9x nne51M61BS5BZShxdLbmewKdN+J2pz6k5qJXUyPTn9943I+WSRhJBty0n5TunC7umSne Syc5iSEIE/p5u8HetUxSiTfDXJcFmv4Yig9myLTkaFAqsRP1j2wsX2bXBhl3nmzCMnEv 4AtkDJpmopqH7yqwzt4A5mz3baCmZEWcIdReYL9YI5g1GrAKkr1kJRY9TNzPqAy5u4Js 57hA==
X-Gm-Message-State: APjAAAXxYrED/M3paWGRwGproM9RStOT8cuWLh38owSUX9IsWBaCkzmy 9XuBtcOaN1JMXFzpmfanjjAski3AvlPAm8RJ2CS9GQ==
X-Google-Smtp-Source: APXvYqwZvlJ74ChkJvKaUdRvpmHybXj7cbNst6vkrWh+7yTjxMQeUBOHF0nZ//MfVbOYIXEd3iDy/p72qc96jPpFK4w=
X-Received: by 2002:a02:5ec3:: with SMTP id h186mr12303417jab.110.1566418259679; Wed, 21 Aug 2019 13:10:59 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <8f856492-f5da-9a02-f76d-67c2795b2ecc@cs.tcd.ie>
In-Reply-To: <8f856492-f5da-9a02-f76d-67c2795b2ecc@cs.tcd.ie>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 21 Aug 2019 13:10:32 -0700
Message-ID: <CA+9kkMD2h94zU9i-Gx5bkqc7np29A=zUnZKq3HkG0zVMzLFkxQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Jari Arkko <jari.arkko@piuha.net>, Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f0237c0590a62b84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/icTFZsmxsojdENPfdLyPI5cb9d0>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 20:11:04 -0000
Hi Stephen, Once small point: On Wed, Aug 21, 2019 at 12:58 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Your concern is that using DoH as a response to the first and second > > attacks is increasing the risks related to the third. Is that > > approximately correct? > > Perhaps not so much "using DoH" as (over-)concentrating > queries. > I think it is important for us in this group to focus on areas where there is protocol work to be done or operational practice to change where it relates to applications doing DNS. If you wish to write a document on the general topic of why over-concentrating queries to the common resolvers is risky, then I am not sure this is the right group for it. And I personally think the risks are actually quite different for DNS over port 53 than for DNS over DoH or DoT, as the primary risk of observation or active MITM attacks looms much larger there (and is made much easier when there are common destinations). regards, Ted Hardie (as an individual contributor)
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett