IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Ben Schwartz <bemasc@meta.com> Fri, 13 October 2023 15:59 UTC

Return-Path: <prvs=3650f8f382=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 208AAC14EB1E for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 08:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHGQA0yD62T6 for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 08:59:32 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DD33C14CE51 for <add@ietf.org>; Fri, 13 Oct 2023 08:59:09 -0700 (PDT)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39DDcbQC016319; Fri, 13 Oct 2023 08:59:05 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=koFPlnA5G5hgZPMkCSK2cyExIzRVx4augSc4yltMig0=; b=QKqW8DAsBBfEb0K8aE6ZCgeQ2ecP4/qyYoobuOWcOm+/4QqUcGI6J0wSBuKLSwRMhyTP j7ZUTvUv8s8skpYdetWdX3gpRavNmZzpTgYcmn1r867iy3LtSF6zedEKSL25wfczrRXj BGOo7qDRd8nXmy2njlzb9Wvt7f85Ka8tS5h/EzMTEAC6Thske6o+zXSnznDLiAb3xG0M 3W+b5y8a+kVZnwnqAFqNKk3G6DWHSEaqFKqhXG5bnxSL3Vz31v4Zjkake9llRWFa+1of WYa9wV4zcW51pt87pNwQLCLYmmqT1JSYFt/aZuud69hAffFAPzh9r95kfUTytwFFk17O 3A==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2169.outbound.protection.outlook.com [104.47.56.169]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3tpt1vbdnw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Oct 2023 08:59:05 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F94QUiLcCN3RKeOusnhd8yqxh2k1HLTwMGPNoPDb8Z3vfpJyTmtEwJBqASEsEFr52XReAUeMVaerqqbtxYVIfs+sDz3e5+9qEMQa7JzR8gjVRoEmQ+4cqZoU1LfV3z/XrGQrD6Gop+Ny+qecg4CsF16f0IMSCP8wGTR9PY0RHGcUoAvvji+NAb7qM4Z9ymZVPYtJ+CvISeT/HxLDJ7DxnDSH2G4CkJc0CayA5hEEsvgsjJoe0Xl62Bwcii/5KzMUD4oAtO6veRZdVRmJbtq2/OsQNAH/KOzRapcp1SuJH/tNDTHSgEXX7oeionzMzYfmaPI/aRbHCR5QFKSafq7CFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v8bX/2W2o1D4PBEQDfXYjN7OmEH2O70xH4/qgqGYFcw=; b=Z3cCwtbYkVUHvCfZWwksxCnWN86BqQvwPuJlt2PUBBixOyLWgcnN6nkJOH0dymz+AXNYkrkWhpqm9JKPQLhSCK/9F+marjsw55p+tO/wIfkQEiWJP6r3PyQ+rkJSjjBtk02iIeqRirwipr1O8lT8H/KKjPcnTigcot70i26whgJNhIupamRiWKeY48MXPwrFwhKobf7QKPFIddAvNH2BCIStwh+CQxGnZ+O15mq3OvRPstoK67yw2KDlYYNaJGH7iBmAhNp9YEMY7uCIKl/2KBT3Hgk5ZdVqHwW6e7IsP3w595RKd4cN1G1qH+xeFCtwtpa7d3Ttb4YeL5BL3pOjug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by BL3PR15MB5388.namprd15.prod.outlook.com (2603:10b6:208:3b3::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.46; Fri, 13 Oct 2023 15:59:03 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56%5]) with mapi id 15.20.6863.043; Fri, 13 Oct 2023 15:59:02 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
Thread-Index: AQHZ9pqG4HQEQrLVek+YnRmR0mZIQ7BEPGKAgAD2dF6AAn2vAIAAMGe8
Date: Fri, 13 Oct 2023 15:59:02 +0000
Message-ID: <BN8PR15MB32816A104B16005165DA5C75B3D2A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com>
In-Reply-To: <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|BL3PR15MB5388:EE_
x-ms-office365-filtering-correlation-id: 81dce9d6-6163-42d1-103e-08dbcc055217
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LKJi3SxeEG//alm8ftrdEdDgcNupKCF2uLBc/LtO9evq3ylkMbq9YiBZ2ctjE1CO6qe87auiD9itdQSsX841KGx4J9uQNCkKdTsyz7fnAentcqaWb+GzaP4T76IuBrH6zHIVt0oV71hGLx25RnBvrHMU4Cy9yProj0s6nvYGAWnUEL6Msjly+Rddni3xszWUHidqVfKQRE25CMjSK7QOEJJIUEhXUzQuYzujJMhJHGjOMdskQVUTUnua2ota0MUABpVowjTxS24hP2TZvwWA2KeVljgYtAXBPMI2IM7h6j5neHRdPHzRznoIozKgMrvJe3SZG9eEsv4/MM+HpdABCsFtvlEc6eHMwWp7wnYbBIIyG5IYYw/Y95jn6q3wGp8KEF1pII238SeyQLwWJZmHk1r5E84Ice4MAApsIAbhLJnMPIl0BE5AVWZEEbeFKDKEuEAghD7FdnVFSPBs1h3mlIuZZ8pw6m9+hcwEj1qBlJE00GsDvWRqmpZnu9179mc3R5bKCpbYmP+w+3eldsA9BhLxHMDEt5ArO81iW8vDIFJM9KXY8oB/iRLDrOKobQGySSX5lKpJ/GezUkANVawur5woI0r9kmy0VqsYoplYjvPSf8mUruta3R46cfKupPxj
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(376002)(136003)(396003)(346002)(39860400002)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(76116006)(64756008)(66476007)(66556008)(66946007)(66446008)(6916009)(316002)(91956017)(86362001)(55016003)(5660300002)(83380400001)(41300700001)(8936002)(52536014)(66574015)(4326008)(8676002)(33656002)(26005)(122000001)(53546011)(966005)(38070700005)(7696005)(6506007)(478600001)(71200400001)(19627405001)(166002)(38100700002)(9686003)(2906002)(835385004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gb+ssmIuLi80bHKLaAvM5HToe5r8sMTpLvS4paQvzHIJii29ps7j4oHB2lukF+fndL6/NnkHxBwopfntD6CSWKji1gNW6/7iuy7jvxyxPIjZUAUk3vS2LcHWm7UqVoo/cRCcWDnKuHNoXOwI1lrqD0q1Jy9M0wxZXttG3tGnUaeOhNTvUAG4vU8k0c3bhDOjNBB0FnS78SsOllp07AIidPIKBI/7/mWx6/5QyK/3LYv8NHkkb6wquLbLcQsTMcXn3qd8uM3sNRCH6LUjWU5/xHwjPy3JpZXmEZkd3CQEEeaS3sdho8KOordYzvi4pi/jCHR5QH6kW9jsdf/mGgoo90WoiPb/50178QAsOqVVEU11hSqZonDPeb21+pXnSoILMDgdrBMTdZO54lfkfqrnbMu23JrcW60XjsICEmycG3iJWQBLpiL6EKk6i+7ReCmSAaoUz41KOl2DhFelXEsVZkgg59VdA9E3z+YX7/+qyJtk7iFBHwtl8fJJN001jSaKKzU0g1T/k72RMtEbzo/RkUEVoxWWafIA5x87WSotyNZJHMbAhu/jEnnafEmrL1QJm8U2Z6vOEWI3Vw9xKtAW5d5zvCsBORCqfG3pVOf71W6AVJqGZTX4Yl7+tYbp8WvJBWwJ5EN4cepaliPZo0ggG13+q2u2K5kD1YGIjuJYpLIjfM7xCCLsq8GXWqwa/xNAJ7w0zwHNNxMBJRWbXKSjGMve3tMbcr6rjKM27GTrFH6yVH8eaj9WjSVIBzMPeHkUXcNAOtG9rDsZvKnmOmNyC5tO1ZoX2WKRAZgy3rqAPHOAaqQtcGl7OSWqEV53vYU00hZe0P0eBD+A8PCFZ04sCv0oF5nvOhRXV47aezCwLs+KxTU2ZmWy0BlM7XDGHCz2lC2IV5iDk3S8HjkDJD/CSmknuAt6YqYydhAQzxG10GqS2UUYvmnu8YK4Ur8zpmQib7J27tgwoOmLOEaxLr4r+Tumo0Zm4Y42BU6ir9m486SbPrCocwGqLxX7nldtZeku2dPWf8yh4fEa2bbFkqwULeV3dAPMwtHKkpe+Ivk2l65u2s/6CAsjZQVhF4i/mItTOuke5Rbs0hHMmdXn4zoTFqn2nhZ1dHaEGyucxf1QZO9FTdCDhuBwe10Pss5Gywy0cot18i7VfhVh2L36G/uQmjrNiThX/RBdsLrAofoA+SwlmE5oWfN6dQzS6491HS+/Z2Er3Z1kFcNw/xLDlJ6NVvVZQoC+8ABTbcy4mwv+dYPJ2nffSdFPRSCo1d9hv/iGf8ONjW8e0ZnE9beoqGqWpWtT0Lt0NHi0BD28a3XmEj6s6imVIkyuP/sfx6v6w7x2Lgn42GQqlcWbUqVUtveFQFAZd7L/Sdo3MEwdsPUrbFAhvjEbMFEo5CxbNFZHlO1wD7FrxHb7y6k/Svos6scFFgL/X3HxMXDBwMb9TgVcALdQ1nQeMkDHezb2cCEjxOea6uBPai59msXALgJquNcfGGtUPkfNTJgIFIQ5VuSH23wPDKYwLYiQ0LmEKjO4ntBhfOhbwANaa7wfG1n/VtraVjljYfBIaNMnB/Okppr4t+o=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32816A104B16005165DA5C75B3D2ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81dce9d6-6163-42d1-103e-08dbcc055217
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 15:59:02.7071 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HP0AulEQQqfE7ZeRQXFGV48J4G8H7NW/MQwP91a/yLSi98sZkEvtrVaJr/G4M/TA
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR15MB5388
X-Proofpoint-GUID: ZtQbPxmpmdN28s92EAVcm_Lhtxo5iZT2
X-Proofpoint-ORIG-GUID: ZtQbPxmpmdN28s92EAVcm_Lhtxo5iZT2
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-13_07,2023-10-12_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/keLokPE0O3mWGRdQ2Ph-C1rTnRE>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 15:59:37 -0000

Reasoning about the security properties of insecure systems is tricky.  Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"?

In this thread, we are discussing attackers who are falsifying RESINFO records.  This is only possible if (1) the attacker is upstream of the server* (which could be a resolver or forwarder) AND (2) that server is not DNSSEC-validating AND (3) that server is not using authenticated encryption on this connection AND (4) that server is not RESINFO-aware.

Given these preconditions, we can then ask: does accepting RESINFO make anything worse for the client?  Under these conditions, the attacker can already observe all upstream queries and generate arbitrary responses.  They essentially have taken over the resolver.  For example, the attacker controls the effective QNAME minimization policy: the attacker could capture all queries until the full QNAME is revealed, then pass that name un-minimized to the root servers and other parent zones.

The same logic applies to Kaminsky attacks and off-path cache poisoning: this attacker could point the IP addresses of popular TLD nameservers (or maybe even the root) back to themselves, allowing them to capture virtually all queries and control the responses.

Adding special cryptographic protections to RESINFO is not helpful when the actual functions of the resolver remain unprotected.

In general, RESINFO claims are not verifiable by the client.  The client simply has to trust that the server is telling the truth, which means it needs a particular kind of pre-existing trust relationship with that server operator.  I think the simplest solution is to note in the draft that clients MUST NOT rely on RESINFO unless they have an out-of-band agreement with the server operator to abide by its published RESINFO policy ... which implicitly prevents this attack (via point 4 above).

If we really feel the need to provide authenticated-but-still-untrusted RESINFO, we can move it to EDNS, which is not vulnerable except in pathologically insecure deployments.

--Ben

*Excluding off-path cache poisoning attacks for the moment.
________________________________
From: tirumal reddy <kondtir@gmail.com>
Sent: Friday, October 13, 2023 8:14 AM
To: Ben Schwartz <bemasc@meta.com>
Cc: add@ietf.org <add@ietf.org>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

On Thu, 12 Oct 2023 at 04: 03, Ben Schwartz <bemasc@ meta. com> wrote: I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection? In that draft, an upstream injection attacker could poison
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
On Thu, 12 Oct 2023 at 04:03, Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>> wrote:
I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection?  In that draft, an upstream injection attacker could poison the resolver's own SVCB record, allowing the attacker to make the client bypass their chosen resolver entirely, and instead use the attacker's resolver ~forever.  This is a kind of "scope expansion": a transient, injection-only attacker on one path can upgrade themselves into a permanent, read-write attacker on all paths.

RESINFO doesn't have this problem.  Yes, an upstream attacker could inject a RESINFO response, but only to the same extent that they could poison any other query in the cache.  (If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)  I don't see a scope expansion attack here.

Yes, scope expansion attack is not possible but DNSSEC protection is not possible with SUDN "resolver.arpa". In case of DDR, the client will not know whether RESINFO RR is originating from the discovered encrypted resolver or not.

-Tiru


Operationally, "sig" seems distinctly inconvenient.  Any DNS server that sits behind a TLS terminator or CDN will have extreme difficulty implementing it.

I recommend removing "sig".

If upstream attackers are a concern, I would solve that by moving RESINFO into EDNS, which is not controlled by the authoritative server.  (EDNS could still be manipulated by an attacker between a forwarder and its upstream resolver ... but that attacker can already control the content of all responses, so they effectively are the resolver.  Also, if the resolver and forwarder are so tightly integrated that the resolver can sign RESINFO with the forwarder's TLS private key, why aren't they using a secure transport?)

--Ben Schwartz
________________________________
From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Wednesday, October 11, 2023 3:30 AM
To: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

This revision, https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.   -Tiru On Wed, 4
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
This revision, https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.

-Tiru

On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-06.txt
   Pages:   10
   Dates:   2023-10-04

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/<https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/>

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06<https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06>

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email