Re: [Add] [EXTERNAL] My single use case
Daniel Migault <mglt.ietf@gmail.com> Mon, 14 September 2020 21:41 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1581F3A0A1C for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 14:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ft1r0dz9mKMw for <add@ietfa.amsl.com>; Mon, 14 Sep 2020 14:41:48 -0700 (PDT)
Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com [IPv6:2607:f8b0:4864:20::a2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE323A09EE for <add@ietf.org>; Mon, 14 Sep 2020 14:41:48 -0700 (PDT)
Received: by mail-vk1-xa2b.google.com with SMTP id e5so330218vkm.2 for <add@ietf.org>; Mon, 14 Sep 2020 14:41:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sESWaCl80NWPHM2JGele/aRJ+thlm/XZCAOYrIf1xek=; b=uHjBKikcFm05eoSe3/V67va0eqpZmpy7FnaxhUjj3Y5HvBew7G0f7SDxZTRzD1bBBT /H59x4IpCIvJkkdcmfsRfqrj6m43YqlWXbe6ko/Vy4/689ktNWlhbMNlmdvasyms3LKI x3f9BcJiW9Td2Yf9ROJloGHkLtM5MrZGWp94dh2IPVGRtiABfDYn4aMUUzkqoSBPQlds H3bK7C0fKM2M7q++ZjZMYCNNhBdCEFgFzHD6al6vCJS49mpcyeLJVSFdRbWS3QMzhcqJ Wu5HXzJV9Kln+hpiWmwndIYIkRcMfHvklTzoNzggP9rq+ot2TIPX0Uwn6Qk9/OlbUflh i2kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sESWaCl80NWPHM2JGele/aRJ+thlm/XZCAOYrIf1xek=; b=fRCY61Gfl2sRJkPaezSLzf96Rf94KLsv1V2SwMfSSxHGkCYS0aghvJSt6h+pLn27zD RLvjvrH4/n1/PT1qWZV6TDBdI5KBOZKqAOYwg9PrF2IofFFW33tMumkf+W39/zQNzccB /u+srydHcFUUqLFx1uu0JjeIvzTPJAm9/UnX5rUeJmpdp58NA2/FU++trbwBzZNqdz2P S7KlsOFJ07J19g+Rkm7hBdBnlbsIjuBzhzcPH7wyS9tBmvQXx7wKdmz6iYSr0UoZs3YK EHXGiUEMcGkQ3wTrbeOSe4ntWIKjMPJasQ1/gTMVvPF+lHbpK7MJ/j8cQoIglddYzvwb iT1g==
X-Gm-Message-State: AOAM532Exqv97B1D/GAFDdA8d/qkN/le3pmHGvXw9wh7rRKA58GTXrp8 4elbEGOFOz0HyxxzbRUwrN+guUp2hqNzfL0oFgUyETV6m3I=
X-Google-Smtp-Source: ABdhPJxyHVp6tbPhS3GnIluEEkYx196qUfrhxtIkUwxvFGv0yVz/3YZAtlvj8UjLLmeYym208aAAGuh7CezDW/1GFTo=
X-Received: by 2002:a1f:2445:: with SMTP id k66mr8576976vkk.33.1600119707087; Mon, 14 Sep 2020 14:41:47 -0700 (PDT)
MIME-Version: 1.0
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <CAHbrMsBduVj7fzutp9x7rYpXo6wLUK7-Pe4VvDHaF45dj==PYQ@mail.gmail.com> <CADZyTkmeYXNiL1yt1FUdKRS=mAmde4gkbu7wkn+HBFEPcdV-4g@mail.gmail.com> <2114958553.1165.1600102557668@appsuite-gw2.open-xchange.com>
In-Reply-To: <2114958553.1165.1600102557668@appsuite-gw2.open-xchange.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 14 Sep 2020 17:41:35 -0400
Message-ID: <CADZyTkmb-_HH8KjD3PaFe8YM+NbA_T2O98bQFdL=D+Y+rqQNAA@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bd356f05af4ce6f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/mXOH-8kfuJ22wijBdp6k9N7Psq0>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 21:41:50 -0000
Hi, I believe that DNSSEC is a good way to get authenticated information. Especially as DNS is the common protocol between DoX. With DNSSEC, TLSA would bind a key to a FQDN and the FQDN needs to be bound to *your* or *the* or *an* ISP. If UI are involved this seems sufficient as long as the EU is able to see it is connected to connectivity_provider.net <http://my.isp.net>. What I had in mind was to improve the level of confidence without UI but by binding the resolver to the IP address used by the user. Of course the connectivity provider is not necessarily the legitimate one, but still that would be the associated resolver. One mechanism I would consider is binding the IP address with DNSSEC to you resolver.sip.net. One way of doing so is to start with a reverse resolution of the public IP address which provides the FQDNs of the resolvers. Note that in some cases the CPE also advertises the Public IP address of the ISP resolver. I do not know how frequent this is. Yours, Daniel On Mon, Sep 14, 2020 at 12:55 PM Vittorio Bertola < vittorio.bertola@open-xchange.com> wrote: > > Il 14/09/2020 17:54 Daniel Migault <mglt.ietf@gmail.com> ha scritto: > > <mglt> > You could also validate (cryptographically) the correspondence between the > encrypted DNS and the Do53, but in essence the confidence of the > authentication will remain with a similar level of the Do53. The discovery > could also provide some proofs that the resolver is associated to your ISP > or the entity providing you the connectivity with a reasonable level of > confidence. > </mglt> > > For the use case of "same-provider auto-upgrade" as currently implemented, > being sure that a given DoH resolver really corresponds to the currently > active Do53 system resolver would suffice, even if you were not able to > authenticate who is actually operating those two resolvers. (This is > different from "same-provider auto-upgrade only for selected trusted > providers", which requires a hardcoded list of trusted providers in the > client, but as far as I understand the objective is to get rid of hardcoded > lists altogether.) > > For this purpose, we could simply use a TLSA record. The Do53 resolver > would provide a TLSA record together with the RESINFO/TXT/whatever response > to the discovery query, and when establishing the DoH connection, the > client would validate the certificate against the TLSA record. If you add > DNSSEC to the Do53 communication, this should be a secure process. Could > this work? > > (Glenn - perhaps this is a specific topic for discussion tomorrow: > authenticating the relationship between a Do53 and a DoH resolver without > necessarily identifying their operator, i.e. breaking your #3 topic into > two separate parts) > > -- > > Vittorio Bertola | Head of Policy & Innovation, Open-Xchange > vittorio.bertola@open-xchange.com > Office @ Via Treviso 12, 10144 Torino, Italy > > -- Daniel Migault Ericsson
- [Add] My single use case Martin Thomson
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] My single use case Chris Box (BT)
- Re: [Add] [EXTERNAL] My single use case Jim Reid
- Re: [Add] [EXTERNAL] My single use case Robert Mortimer
- [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Ben Schwartz
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] Zone ownership in DNS server discovery Tommy Jensen
- Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] My single use case Martin Thomson
- Re: [Add] My single use case tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery tirumal reddy
- Re: [Add] Zone ownership in DNS server discovery Vittorio Bertola
- Re: [Add] Zone ownership in DNS server discovery Joe Abley
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] My single use case tirumal reddy
- Re: [Add] My single use case Eric Rescorla
- Re: [Add] [Ext] My single use case Paul Hoffman
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] Re: [Ext] My single use case Geist, Dan (CCI-Atlanta)
- Re: [Add] [EXTERNAL] Re: Zone ownership in DNS se… Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen
- Re: [Add] [EXTERNAL] My single use case Martin Thomson
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case tirumal reddy
- Re: [Add] [Ext] My single use case Eric Rescorla
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] My single use case Daniel Migault
- Re: [Add] [EXTERNAL] My single use case Vittorio Bertola
- Re: [Add] [EXTERNAL] My single use case Andrew Campling
- Re: [Add] My single use case Steffen Nurpmeso
- Re: [Add] [EXTERNAL] My single use case Daniel Migault
- Re: [Add] [Ext] My single use case tirumal reddy
- Re: [Add] [EXTERNAL] My single use case Tommy Jensen