IETF Logo Mail Archive

Re: [Add] What to do in this potential working group

David Conrad <drc@virtualized.org> Wed, 21 August 2019 21:04 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9C96120091 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id na8fQD_vEPYD for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:04:53 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1727512007C for <add@ietf.org>; Wed, 21 Aug 2019 14:04:53 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id b24so2271611pfp.1 for <add@ietf.org>; Wed, 21 Aug 2019 14:04:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=EsyRIVqdps1CXDK4j2Ob3JxM7oq0/62ieQJ67KHFyvc=; b=AZVEV5VzowsnNWZUgaLNkrV57BHHxpd3jLZX2f+kRkdgVavZB6enmpMfKjU1u+vDwl qy7tfVnQj3dC0s+ftkOP5xUpK1jjqvPM76MmmSoo93y1jtFu1ELW+ZQQ+RD/69lPB9xn PMVvt6CVXOgtPFhHRr+9k99YYBis/f+S7QsLW6FoUhq26PE7HzL0YSsSlW3vlh4FVDaj 3f9+VtN+r3rpl9cRwkpYyeUIdCYC1Fb71I6SSoYsfQx4fz10rXaNnxm5Eh+BMpzEs2qu aJZPyMqaVNCZDkDh96t0/r9YhhVRBdk0UO2CUsHtLZjm7s4QzPMS4/NRcPoj0YcZvvSv bjBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=EsyRIVqdps1CXDK4j2Ob3JxM7oq0/62ieQJ67KHFyvc=; b=Flak8G5RRIdPWMYerT+G9jau8QSbJ7YoImRoFUTNoPHAOwcpKAj+uvLOnVR7ta3I2Y b5ItPMFMeZG3NzEj7doSiOsut1Std22Syg9fKlrOyX/ahNbPR5cmihAaa3qKaM8R9ZbC LrtagTsDARITTVt1UEUGbJJ4dwGP0dJRl7jYJ/kkMmFf4RJADz0rLTVeGOAQgJgzlBjw GcKqlJQX5w/f3rPuzfHtAlobh0uUohRt4VL+XUWrHnzkz+fXzfP0b2xRdOTwH5SPS0VC SyrCCWXAOmcEHYP6PgsbYHh0Jmy5QZPchzAYvUIOzz9W+NyySViPx3ZPKu1DO2HpE8oD F1fw==
X-Gm-Message-State: APjAAAU4tUJYohkV4LDWvlCZMZFZE1jV0CZT7jxKs/zquTVn2dIUq1mn S/yFFn5dgIsa6Y0tIbTQ+hC0jA==
X-Google-Smtp-Source: APXvYqxpPFZban2rjiMFlnz++BQH62VgPO4cQh1pBMr1SIjs67PVVKglUbFfe+OvbI5fqn+dLQ+UBw==
X-Received: by 2002:a17:90a:de02:: with SMTP id m2mr1983451pjv.18.1566421492642; Wed, 21 Aug 2019 14:04:52 -0700 (PDT)
Received: from ?IPv6:2620::2d0:110:a001:9cbc:6eb4:c2df? ([2620:0:2d0:110:a001:9cbc:6eb4:c2df]) by smtp.gmail.com with ESMTPSA id e17sm943745pjt.6.2019.08.21.14.04.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2019 14:04:51 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_E99A8D52-03CD-4330-AC22-1CC77982D104"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com>
Date: Wed, 21 Aug 2019 14:04:50 -0700
Cc: ADD Mailing list <add@ietf.org>
X-Mailbutler-Message-Id: 8C19922D-D1DA-4766-8ECC-EEFD9A5AC8D8
Message-Id: <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com>
To: Alec Muffett <alec.muffett@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wYsrUX5jc12Dl7QwHMmC85QXM2c>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 21:04:55 -0000

Alec,

On Aug 21, 2019, at 1:24 PM, Alec Muffett <alec.muffett@gmail.com> wrote:
> On Wed, 21 Aug 2019, 19:17 David Conrad, <drc@virtualized.org <mailto:drc@virtualized.org>> wrote:
> Further, you cannot ensure to the end user that the “trusted” resolver operator has not tampered with the data, be it due to court order, internal attack, software bugs, etc.
> But you can assure that it is a response from the resolver which you chose (contracted?) to deal with,  rather than some happenstance resolver.

If your interest is ensuring that the DNS data the client is receiving corresponds with what the authority for the domain inserted into the zone, what you are assuring is essentially meaningless, regardless of which resolver you talk to.  Actually, given TRRs would be concentration points, the situation is arguably worse than if you used a happenstance resolver: what would happen if the TRR you contracted with is subject to a court order under seal that requires that TRR to modify responses for particular domains?  How would you know?

DoH is channel protection. Can we please stop suggesting DoH addresses data integrity?

Regards,
-drc

v2.23.0 | Report a Bug | By Email