Re: [Add] What to do in this potential working group
David Conrad <drc@virtualized.org> Wed, 21 August 2019 18:17 UTC
Return-Path: <drc@virtualized.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18AFD120E34 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7HYZRHW2-cl for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D74120E2F for <add@ietf.org>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id q139so1932312pfc.13 for <add@ietf.org>; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=UHz26Ct/MbdK+cuZdmubd0Ty7bsj/m/haioBFho+Sls=; b=LG2GIQWdmLVPwsHRm9614ao52OLyGJD2rFa7JeamwO3w0uwdf3lO+rSqtuBdYS9Oux 3irol1N9heLoNrYjWfry8tB0QWiB3a/g9pzqf319au2H4B7NpFM70gMk1LwLznIMX1qK YErmmSbsAWHJasHpPC9mf9GQtk77U5UwXb2enbtNSIJsHQReSG0uBfSguWCUmAecQXhN uxJD3zihMixS6cLdq1F3qUzmk/eAVBPOs9xEnomKmFPphmBX56syVCRmdRDJawJCIA6O jGf+c4atyMOKKMcHTXRo6n+paCvTVMDlhEJ+z4ndxmArE5JpLaY50W/BGbuA2MWmwtBP foNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=UHz26Ct/MbdK+cuZdmubd0Ty7bsj/m/haioBFho+Sls=; b=PDtiVA3Bin9XrBJTKn6pUtfQQbBgFoeoyOizVfoyTAvONW22f8P+USUVzVCR9Sj0Jk wGTZVm51O5t1SAZpcXNrt7j70FsxYs2X4GK1/jQDbiIISJ2x6VzcYzvIsX029bWbatbS +PnzAwUMOblhRwHDcf3rt7UAWNFHJg0MQyvjhmaMaS6h9kM728SrETYdvstT7VKfEWe3 zoVcyQR9zcIHDY/jViZWCJ73t6NqdhWFopMeFIBklKeW3Y2iH34YH2QANgO3nJOIb+xu xAfi0PshF9XSdvoIRssnN4GxDSgAYAGT603zcXB8rD5Xqj2gPkmnRFXUQt89kuooacIG SjfQ==
X-Gm-Message-State: APjAAAVyA+F1W6EDNlXmNxj+bF7gb9TQr8zTkI0+nOa/JulUh+47II5d owX9IB0JMsYr5RQIR61hoErOPQ==
X-Google-Smtp-Source: APXvYqwoPsrSlknyw2u0wGOOQCFO+mBIcq+ROVwd4zPBwzQPYY+Ih8UczPlp4piIzgp6D/iixSau6A==
X-Received: by 2002:a62:754a:: with SMTP id q71mr32349879pfc.15.1566411427189; Wed, 21 Aug 2019 11:17:07 -0700 (PDT)
Received: from ?IPv6:2620::2d0:110:a001:9cbc:6eb4:c2df? ([2620:0:2d0:110:a001:9cbc:6eb4:c2df]) by smtp.gmail.com with ESMTPSA id 14sm28988240pfy.40.2019.08.21.11.17.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2019 11:17:06 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_BCD895CE-8E28-490B-90D9-CB61331199E7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com>
Date: Wed, 21 Aug 2019 11:17:05 -0700
Cc: ADD Mailing list <add@ietf.org>
X-Mailbutler-Message-Id: 8FB71730-055E-437B-A2E5-3DA38C7DF151
Message-Id: <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com>
To: Alec Muffett <alec.muffett@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/y0IVtZYtSAN6JBeiRQxS7XtjIqQ>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 18:17:09 -0000
Alec, On Aug 21, 2019, at 11:06 AM, Alec Muffett <alec.muffett@gmail.com> wrote: > On Wed, 21 Aug 2019, 18:59 David Conrad, <drc@virtualized.org <mailto:drc@virtualized.org>> wrote: > The only way to truly ensure a trustworthy answer is to protect the actual answer. Which is what DNSSEC does. > Fortunately we do not have to wait for DNSSEC in order to get answers from the people from whom we wish them supplied, privately and untampered-with, which is the whole point of DNS over HTTPS. As mentioned, this is not the traditional answer for what is “trustworthy” when it comes to DNS data: instead of trusting the zone owner (more specifically, the holder to the zone signing key), you are trusting the resolver operator. The data is ONLY private between the end user and the resolver operator. It is NOT private to the resolver operator (something people have been repeatedly pointing out) nor is it private between the resolver operator and the authorities. Further, you cannot ensure to the end user that the “trusted” resolver operator has not tampered with the data, be it due to court order, internal attack, software bugs, etc. Again, DNS over HTTPS protects the data channel. It does NOT protect the data. Regards, -drc
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett