IETF Logo Mail Archive

Re: [Add] Food for thought?

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 22 January 2020 13:50 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D311200F4 for <add@ietfa.amsl.com>; Wed, 22 Jan 2020 05:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9sJNTrqhnpT for <add@ietfa.amsl.com>; Wed, 22 Jan 2020 05:50:55 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10047.outbound.protection.outlook.com [40.107.1.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7D41200E9 for <add@ietf.org>; Wed, 22 Jan 2020 05:50:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z0MO1bv+gmpQfflboqR6aIThm76CZwjMtl0HxWf8SuPiHRKZsbIIdPWws7EiIo+Cv52lyLIJhGutf5jAcwrnlU7ZUCP1iqRI7cwEQHDYrIbD4KGn+IGxdxDevc8td0vlmS31Ah05jYmEn/lls+mqRcMj8Zmre32GAIGRj3Gg6iQAeUoTFzOspwkzxlinUX+YurDRKRrYCewD8b8Ox2otBPjLx/ba8LmGqh1x+0BcG5FPxzS4Ds6y8fvEVdHJFO765y6ZDUnLLJZQIKrEFXyaoibdNanNQiQP2OgtmgcpAwrKmdjmILvVBwIN3rGZEbnZGYApAY2SCdrPJAN6ZaDWFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uCv+KQLnFDbSt5pEhMvgA+iNeK9gZS7r+MEuO3LDkjA=; b=f+MA3tudGNq9ckzl2VcPTlhZasAQz6VmFbb1bga5pxtkymynqKiJb8F8ZhR7MsQ9CRpXgMmdOUQ3JxRF3RdeciimXoZ45fVZHd0CGx1HJBFgz+crUCxxPYyPGJwWPy0pItyI4cQmPGZa0IGQjHX04GPwIfaUFYXgKdhEBDtyjg1B9UPjt6UueS9DfOSkV5hc2DPpV0waUGGF4uHFrjJE7dHBaf40LxGQY+TS4rWWP1fAo+T4jKOfsFEaqB72yMycZeWCkR8krTiVk8Me7lgr+cTq8TuloEww2nR5l+FhYoWBXFsCaI+k9sn0U34wj1rRI6hR5EGg6kVeerJyWO4YGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uCv+KQLnFDbSt5pEhMvgA+iNeK9gZS7r+MEuO3LDkjA=; b=ZcDPOSlCGmKifgjeFCQKql5kQ9NsMtt9ebBMIpCl+YcXTCveAC7OM4dCPqjPlH7fgFQe4qNWglwniXg4SOSXc4oJ6l0VXw2uB3Els64btjIO83beJ48EW3ouTidRMwSGzbNPStQgJ6E4DEaU9r4hct9sRGvjTi2CZwE/+Vflc5Q=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB3051.eurprd07.prod.outlook.com (10.168.98.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.14; Wed, 22 Jan 2020 13:50:52 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::cd13:3dbf:1517:c03c]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::cd13:3dbf:1517:c03c%10]) with mapi id 15.20.2686.008; Wed, 22 Jan 2020 13:50:52 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] Food for thought?
Thread-Index: AQHV0FwKeynJ3E29vUysvwsKOw+95af2tTKA
Date: Wed, 22 Jan 2020 13:50:52 +0000
Message-ID: <03037960-e9a7-3dd5-7009-3c79e589fd08@ericsson.com>
References: <CAChr6SwZMid9ruggYAu5bqBEcujhczp34mJ=TZPAjSXw50ZBKQ@mail.gmail.com> <C70ECC76-7431-4FC2-B555-0E1D8D82B449@nbcuni.com> <CAChr6SwYtJh84CLE9n+fuqjdFAaSzNP=aFKqa70KY=Mx+F76MQ@mail.gmail.com> <CWXP265MB0566FDF1030771C6916BE37AC2360@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <F82221F8-35B8-497F-8AA9-F2405000650F@fugue.com> <CAOdDvNqyJhu_q8ALpBeg=zcjyUpHW=fpTxSsoCV0_c=oiXg=pA@mail.gmail.com> <7B424818-0F38-44E7-8EDE-165E96A6221A@icann.org> <CAChr6SyUKmvAQ8niPYjQmL4EREY7c6dqqsjp-M2bt4a_i-L40A@mail.gmail.com> <9c261636-a030-6116-098d-ac89b1227bad@ericsson.com>
In-Reply-To: <9c261636-a030-6116-098d-ac89b1227bad@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:14bb:140:3307:cc1e:8406:7a73:dca9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 858bf54c-7089-4857-f90d-08d79f421886
x-ms-traffictypediagnostic: HE1PR0701MB3051:
x-microsoft-antispam-prvs: <HE1PR0701MB3051736ED52730B82FE3AD0ED00C0@HE1PR0701MB3051.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 029097202E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(346002)(376002)(396003)(189003)(199004)(5660300002)(36756003)(966005)(66574012)(6486002)(76116006)(8676002)(71200400001)(316002)(478600001)(6512007)(66476007)(66446008)(53546011)(64756008)(81166006)(81156014)(86362001)(186003)(6506007)(8936002)(66556008)(2616005)(66946007)(31696002)(31686004)(2906002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB3051; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TwvnJt6eotGmCs91fpjo8q901DojEz8IEzNeyH2djG+CzhGPxwXDuHPZqFLYVuxtFMABIqQxErsRejjrC1mPlwZWJQryaeBBImC1xQkk2vzDKCtuITabvdswZZE8L31T+G0jbtfpW/361eu1Z8+Gx8fv3EHUUl3GpFmNkLi6RMLudbKQJfuKtzC1ohtKkamT495ng/RZqEq9iLrPVvuR/qMQ9GhWR0oihhKpGYPkYKkCt7/Y28j9/uNGi0ubM8/huOuPq/jkVQDJHNiVsSX4fG9Q6/2EbrTuIFj5KI22o8LL0j43JlFMSc5x54YR7ulwXs7ykUC0xtSgbfCfTwkhpIe+0q+e+V5EV01i3hPx1dLf9wUghXGrozciaqkw4DwL53ngzLXM9c9ADLk3zKmjmEudXmBNGrINa8iO30UEUdtp8t7JCGhtLiABydwXBbUJzq/zJVXocVsaegNo2FS+VziV82vMYuA2Ta3kKohkZWE=
x-ms-exchange-antispam-messagedata: yL1IvwisNbk70CchSCEf2gGsxW8cxeTCV+ywWQGwUNzCvMDsUDxepDhgVvqPBwO/T2/slv7bRsCSFIVGo3kTd5f/pShf86GazPoh47nRjuMBgHGFEE0WjkfPQpPrrlq4Yc504QRL/t2KP1XRi8RG9J/IiaJ9Vf+HgYqr6tHL54J2VM+RIU0rnGtTi5SDWzW3vWSPH13s1+vBSh3qEQNNhw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_03037960e9a73dd570093c79e589fd08ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 858bf54c-7089-4857-f90d-08d79f421886
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2020 13:50:52.3191 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DYtTFVKMqyMELCfy+FkRfRKRQwPCimFHXtUp+lyWGnPaAbL7dlB/vspMBM9SXNwUfYnZPW5z1Wghy2K2EK2jHqYV8DJtGJlXU4NuZyqf9Zw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3051
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/kYbR2WAb-0dbFaA91gt32SoslAE>
Subject: Re: [Add] Food for thought?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 13:50:59 -0000

My comment maybe somewhat misleading and might be interpreted as if I am against forming this working group. That is certainly not the case. I would like to see this working group formed and would be happy to review/contribute as we proceed.

As a more concrete suggestion, perhaps the following bullet in the current charter text could be better explained:


- define a mechanism that allows clients to discover DNS resolvers,
including encrypted DNS servers, that are available to the client
either on the public Internet or on private or local networks;

Rather than distinguishing between private/local networks vs. Internet, it could distinguish home/enterprise networks or whether infrastructure is available to aid the discovery or not. For example, some enterprise networks may have servers (such as a Windows Active Directory Domain Service) to help assist in the discovery of DNS resolvers. This would not be possible in many home networks on the other hand.

--Mohit

On 1/21/20 3:09 PM, Mohit Sethi M wrote:

Hi all,

I took time to study some of the email discussion (albeit not all). I made sure to carefully read the proposed charter text written by Tommy: https://mailarchive.ietf.org/arch/msg/add/yFOsdTOf6VfNzsHPUbuFfQ5URzw.

As security folks, many of us inadvertently solve our problems by making them someone else's. A very naive example of this would be that we solved the key exchange problem of symmetric keys by making it a key distribution problem with public-key cryptography. I know that we shouldn't really discuss solutions when formulating the charter. However, I suggest that we use this opportunity to discuss the starting assumptions for a client to securely discover DNS resolvers.

Some of the proposed solutions that I looked at rely on an another trusted server in the network to provide information about DNS resolvers. And how do I discover that trusted server?, well of-course, mDNS. I would like us to solve real problems and not make cyclical dependencies (knowing that solving real problems is hard and time-consuming). I would also like to understand what type of networks are in scope? Assuming a trusted server in the local network to inform me about candidate DNS resolvers is certainly not likely in many/most home networks?

--Mohit

On 1/18/20 4:20 AM, Rob Sayre wrote:
On Fri, Jan 17, 2020 at 7:28 AM Paul Hoffman <paul.hoffman@icann.org<mailto:paul.hoffman@icann.org>> wrote:

This proposal rules out any solution that does not mandate the client (such as an operating system) having an up-to-date set of cryptographic trust anchors (such as the web PKI or other crypto initialization by vendors). It would hobble discovery in many of the common cases that have been discussed, such as my laptop in my home using my ISP's resolver. If that type of hobbling is what this group wants, go for it...

What is the improvement such a group would miss out on?

thanks,
Rob

v2.23.0 | Report a Bug | By Email