IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

"Dixon, Hugh" <Hugh.Dixon@sky.uk> Tue, 16 July 2019 10:31 UTC

Return-Path: <Hugh.Dixon@sky.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BD3812023F for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 03:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqWYMT98Y-wy for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 03:31:50 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10056.outbound.protection.outlook.com [40.107.1.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 076F6120074 for <add@ietf.org>; Tue, 16 Jul 2019 03:31:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VCDaVvH/VPulEjOANI8EPCRiUfPzRnQ7H9xYBlxpOZbhExlRm/ZesJ0t+4dFYzJO54Lezvqh5O88NvqMnT9ns6JiPd63S/Y7q+d+KxQh6jpkkTdFUwypaggGLwbkhHs6PxmZa4ermnDzGJ29B/e4RUrSWm6NmMFqHwLd7+S9qcI6jeZa0wUxC43NvOvnY0FuQiwGrhfmTsf7s5H3vcM/j5TkU8oF6QR8c72uaD96Pu2uM6o9Hjv5H/kQMJk9K7WGCZWj1oT9uJQY/Uj9bIOC2K/glFE+DfpE/zD34fZ1nAc3SGG2kzKit7p36J1HFrOX4AwuVQdizD2TfBesrBmExA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jyXpvC7rQb/3SGZXAvw6cG9YFvCY8dLS0jNw+qCyDlY=; b=JGyVwqfH1ry6j1dzBfa+t1W2K/gXfJcVbq1eN+OQZUVxiMkQ5jvK7fiy2bNwK1to3jN/ijVFUqi9mLfpWv9cFt5VQjLENK5zRAtr0hjm4MgW5egaEXblSlrZysyT/Coyu10ZllhTNIGxldMRVng2abY/EbT5SzckDIY6tJFKqEB5DznLEFMIVKsCyS/jn0OqimM/fakyxB6uZWi8/vqkrj3VzDPTAs31sYAUJ3CSpAkH9BZcEj/FNr7ZlEjvm2IVxv5t/gf0vpkmO0yWt5cQqpBO0OZDMleK9wuIhzORfd4QISBjprin1XTK3zwc6Pyd/g9floIBjJCNNK9GEUux8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=sky.uk;dmarc=pass action=none header.from=sky.uk;dkim=pass header.d=sky.uk;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jyXpvC7rQb/3SGZXAvw6cG9YFvCY8dLS0jNw+qCyDlY=; b=onxkjAVOdG/oEsLE99c6S8vj/UQBbsa5ZlUN5uDXuRO9WFnP4ZXxtu+M2ZnGQrVeQDLAJQuJg8He5A9DcmPXKU7XAkHiTd/xnnguBlEY8oNrsO163xrOiVifYz8kN3R/EHXreinJMiOiggyKiED46o3BzYt3OhmQrS0X5wD7ig4=
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com (10.172.248.15) by DB6PR0602MB2823.eurprd06.prod.outlook.com (10.172.248.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.13; Tue, 16 Jul 2019 10:31:47 +0000
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::251a:5b99:bf14:1921]) by DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::251a:5b99:bf14:1921%5]) with mapi id 15.20.2073.012; Tue, 16 Jul 2019 10:31:47 +0000
From: "Dixon, Hugh" <Hugh.Dixon@sky.uk>
To: Alec Muffett <alec.muffett@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] draft-grover-add-policy-detection-00
Thread-Index: AQHVOw9dnoSdkELwNk2T1hCmFh8Zf6bLqU6AgAF0rAA=
Date: Tue, 16 Jul 2019 10:31:46 +0000
Message-ID: <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com>
In-Reply-To: <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190708
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hugh.Dixon@sky.uk;
x-originating-ip: [90.216.150.239]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ac16d5ac-ec63-4299-38eb-08d709d8ce07
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR0602MB2823;
x-ms-traffictypediagnostic: DB6PR0602MB2823:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6PR0602MB2823590E89619891649ABB3DE3CE0@DB6PR0602MB2823.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0100732B76
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(39860400002)(366004)(376002)(346002)(52314003)(199004)(189003)(99286004)(36756003)(561944003)(8676002)(33656002)(25786009)(53546011)(86362001)(102836004)(186003)(6506007)(6246003)(11346002)(3846002)(76176011)(26005)(446003)(7736002)(6512007)(476003)(53936002)(54896002)(2616005)(2906002)(229853002)(6486002)(478600001)(236005)(6116002)(6306002)(966005)(2501003)(71190400001)(71200400001)(6436002)(110136005)(14444005)(316002)(486006)(256004)(606006)(76116006)(91956017)(5024004)(66476007)(81156014)(5660300002)(8936002)(66946007)(64756008)(66556008)(66446008)(14454004)(81166006)(68736007)(66066001)(58126008); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0602MB2823; H:DB6PR0602MB2805.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: biHVrGL9sHOqQc9OzD0oj9VjsNcD2yIiMieDYMRg7QhcIXkyr/NjwWSFfjn9rlZ9git0vu9NpuY+Sbk4DMnFUkHTdf5czK4y+13OcueUj5Z4L/af+w9mS37uth/gGBLndCS3bY/63n55ggUCmZ4OKFjyOo62rrgseGkjnLN3vi+fT1MjOWNHk5/12I3/U0g7+2wtkWV2J+qR/8nt7OljIoo+qS6odjoFCRUHwJdPFdz09tHYOWnV4DP5Fg2C780+o05NQNQbpPq20S6kPfXhnzLagW2PpOY8Psimun4nZZRM4tTl4zy+D6e8v9s5FcXJ47K+9hI7tKhTKgpzwx2HJ6aEmyuo9Txu8vae8NVv0TPxeu3ilRo9fj3pS6FRszBgWc3HkJwxb2nYKMy4opX6jw2P01xT3VkXJwkI7yqBkyc=
Content-Type: multipart/alternative; boundary="_000_A45F4F74D6C1435AA52FC2DEA82E2999skyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ac16d5ac-ec63-4299-38eb-08d709d8ce07
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2019 10:31:46.8601 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hugh.dixon@sky.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0602MB2823
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wwotopq4UMYpnFNTiSAsGrjflB8>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 10:31:53 -0000

Hi Alec –
Given that this is at its core (just) a protocol for asking (any) DNS server whether it has a filtering policy, won’t “non-compliant software” will be the sort of software which does not beacon?  (sort-of detectable but not if it’s essentially optional app behaviour anyway, such that the absence of a beacon isn’t a significant “flag” – certainly not as much of a one as non-existent DNS activity - as it would be if all lookups have gone DoH-to-third-party)?
I think this is just a policy-signalling protocol, to enable users who “want to” to use the preferred policy-implementing resolver (quite possibly using DoH as the transport).  The wording gets a touch confusing in there – I’m sure a next draft would make the distinction clearer.
My comments are not a commentary on the wider effectiveness of the draft proposal by the way, just on the specific example given.

H

From: Add <add-bounces@ietf.org> on behalf of Alec Muffett <alec.muffett@gmail.com>
Date: Monday, 15 July 2019 at 14:18
To: "add@ietf.org" <add@ietf.org>
Subject: [EXTERNAL] Re: [Add] draft-grover-add-policy-detection-00

On Mon, 15 Jul 2019 at 14:14, Alec Muffett <alec.muffett@gmail.com<mailto:alec.muffett@gmail.com>> wrote:

* [as I understand it] any cafe owner using PiHole will be able to suppress TBD.arpa resolution, and disable DoH
* [as I understand it] any state telco (Iran, above?) can suppress TBD.arpa resolution, and arrest anyone who attempts to resolve it for using "non-compliant" software
* albeit the desire to protect people with MITM-filters is variously legislated and appears desirable, I cannot see how delivery of such is now compatible with the themes of rfc7258

Alas how often one hits "Send" and then realises what one should have added:

* [as I understand it] any telco, state-sponsored or otherwise, can capture the IP address of any host which beacons/attempts to resolve "TBD.arpa", and then block all traffic to it, or else divert the latter for "special treatment"

That's not really in the spirit of rfc7258, either.

    - alec

--
http://dropsafe.crypticide.com/aboutalecm<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdropsafe.crypticide.com%2Faboutalecm&data=02%7C01%7Chugh.dixon%40sky.uk%7C3dc632e5eddf44e1891208d70926f9f2%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636987935332970513&sdata=304yZx6JcxrylBxUncE%2B6sdPBPWyO7qBA5IBPP8Rt1s%3D&reserved=0>
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you
--------------------------------------------------------------------

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email