IETF Logo Mail Archive

Re: [Add] What to do in this potential working group

David Conrad <drc@virtualized.org> Wed, 21 August 2019 18:17 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18AFD120E34 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7HYZRHW2-cl for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D74120E2F for <add@ietf.org>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id q139so1932312pfc.13 for <add@ietf.org>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=UHz26Ct/MbdK+cuZdmubd0Ty7bsj/m/haioBFho+Sls=; b=LG2GIQWdmLVPwsHRm9614ao52OLyGJD2rFa7JeamwO3w0uwdf3lO+rSqtuBdYS9Oux 3irol1N9heLoNrYjWfry8tB0QWiB3a/g9pzqf319au2H4B7NpFM70gMk1LwLznIMX1qK YErmmSbsAWHJasHpPC9mf9GQtk77U5UwXb2enbtNSIJsHQReSG0uBfSguWCUmAecQXhN uxJD3zihMixS6cLdq1F3qUzmk/eAVBPOs9xEnomKmFPphmBX56syVCRmdRDJawJCIA6O jGf+c4atyMOKKMcHTXRo6n+paCvTVMDlhEJ+z4ndxmArE5JpLaY50W/BGbuA2MWmwtBP foNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=UHz26Ct/MbdK+cuZdmubd0Ty7bsj/m/haioBFho+Sls=; b=PDtiVA3Bin9XrBJTKn6pUtfQQbBgFoeoyOizVfoyTAvONW22f8P+USUVzVCR9Sj0Jk wGTZVm51O5t1SAZpcXNrt7j70FsxYs2X4GK1/jQDbiIISJ2x6VzcYzvIsX029bWbatbS +PnzAwUMOblhRwHDcf3rt7UAWNFHJg0MQyvjhmaMaS6h9kM728SrETYdvstT7VKfEWe3 zoVcyQR9zcIHDY/jViZWCJ73t6NqdhWFopMeFIBklKeW3Y2iH34YH2QANgO3nJOIb+xu xAfi0PshF9XSdvoIRssnN4GxDSgAYAGT603zcXB8rD5Xqj2gPkmnRFXUQt89kuooacIG SjfQ==
X-Gm-Message-State: APjAAAVyA+F1W6EDNlXmNxj+bF7gb9TQr8zTkI0+nOa/JulUh+47II5d owX9IB0JMsYr5RQIR61hoErOPQ==
X-Google-Smtp-Source: APXvYqwoPsrSlknyw2u0wGOOQCFO+mBIcq+ROVwd4zPBwzQPYY+Ih8UczPlp4piIzgp6D/iixSau6A==
X-Received: by 2002:a62:754a:: with SMTP id q71mr32349879pfc.15.1566411427189; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: from ?IPv6:2620::2d0:110:a001:9cbc:6eb4:c2df? ([2620:0:2d0:110:a001:9cbc:6eb4:c2df]) by smtp.gmail.com with ESMTPSA id 14sm28988240pfy.40.2019.08.21.11.17.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2019 11:17:06 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_BCD895CE-8E28-490B-90D9-CB61331199E7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com>
Date: Wed, 21 Aug 2019 11:17:05 -0700
Cc: ADD Mailing list <add@ietf.org>
X-Mailbutler-Message-Id: 8FB71730-055E-437B-A2E5-3DA38C7DF151
Message-Id: <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com>
To: Alec Muffett <alec.muffett@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/y0IVtZYtSAN6JBeiRQxS7XtjIqQ>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 18:17:09 -0000

Alec,

On Aug 21, 2019, at 11:06 AM, Alec Muffett <alec.muffett@gmail.com> wrote:
> On Wed, 21 Aug 2019, 18:59 David Conrad, <drc@virtualized.org <mailto:drc@virtualized.org>> wrote:
> The only way to truly ensure a trustworthy answer is to protect the actual answer. Which is what DNSSEC does.
> Fortunately we do not have to wait for DNSSEC in order to get answers from the people from whom we wish them supplied, privately and untampered-with, which is the whole point of DNS over HTTPS.

As mentioned, this is not the traditional answer for what is “trustworthy” when it comes to DNS data: instead of trusting the zone owner (more specifically, the holder to the zone signing key), you are trusting the resolver operator.

The data is ONLY private between the end user and the resolver operator.  It is NOT private to the resolver operator (something people have been repeatedly pointing out) nor is it private between the resolver operator and the authorities.

Further, you cannot ensure to the end user that the “trusted” resolver operator has not tampered with the data, be it due to court order, internal attack, software bugs, etc.

Again, DNS over HTTPS protects the data channel. It does NOT protect the data.

Regards,
-drc

v2.23.0 | Report a Bug | By Email