Re: [Add] data integrity and DNSSEC or DoH/DoT
Andrew Campling <andrew.campling@419.consulting> Wed, 04 September 2019 08:54 UTC
Return-Path: <andrew.campling@419.consulting>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D32A1200CE for <add@ietfa.amsl.com>; Wed, 4 Sep 2019 01:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc80TJpWQsHC for <add@ietfa.amsl.com>; Wed, 4 Sep 2019 01:54:06 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110083.outbound.protection.outlook.com [40.107.11.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE8B1200C1 for <add@ietf.org>; Wed, 4 Sep 2019 01:54:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MxnAQ7TcAiC34TOx87nwM7E24wbWQKY1Nxc3ax6CpO+ka3yRy66hB8vlEnFf4zOm040e4JKUc8n3ZTbwB6mHIF8eFI4M/tlbamB8Bl2VIWkH1ah465GpecjW6H1GymMP5Dcezd7rOixErcoNfEGP7kHj/wzufRrD7LFWdPl74VGQaC1ZF4fU+oneAzANCooxZ0U8r82TVwA0J1DVSd0Q6q2L6cyJ3HkMpsj+yk2KfL38O36Y3RvkWBVqmXdNJVrs7t9wDn49ehLTQqUBNmrdvkx1hqBr5tefRXpsWdD+hiRTI3J6YtZ9yTfcmjlBZg7aaaHk8Htalvb0jZXFANuSbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lWEbpgoyMmY7vxM1vj6xPs6xF0dDNEEiSPsgymljjTM=; b=JcnT2WfSRaWSRUQEhJouxA2C6wm36Ma1kLyC12fDqnNpwzOjQWbl9esyUoCuj9p6iECpTRvqt6Dy04V8sANRIzGpvkuTaNvWbmDWwEQu5TbcBkoAu5TEy8CPGiGFnVKJOgcgKmUt7h0VVLX38ZQTOPzucWZdcqt1V8QB/emId4nODvbdlwzEl6ua00tN1fds7SOWDzz/IVtm/Rvf3+z9tVUKgNM6DBYaqYPD6WeUO2ReAbbvk0LayKWLR8JlXxK7mmm3R7WoNJEjJnq0w/0s492CRVzIexhBgK2nXK5gPqd+AowVXkc0+H6d9/v1YMkqAcbPTOXlzsnwweZl6jmeOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lWEbpgoyMmY7vxM1vj6xPs6xF0dDNEEiSPsgymljjTM=; b=o80AQ/r5SQMQRrMzvj0rmcDjskiQ1XAtaonLHqGNJ2v+AucQwUrPGg3sE4k6fCOuGezu+gqpHXFchzR2smpqVN5BEuU/WTQqOc8iHwx/7HPYe6dTVTrUaQZjLs3h4zKGs8sNF+rC/MNJmPgYMAvsx5kW+Q8r9diqm78vDN+dtck=
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM (20.176.138.146) by LO2SPR01MB0021.GBRP265.PROD.OUTLOOK.COM (20.176.139.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.14; Wed, 4 Sep 2019 08:54:03 +0000
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3]) by LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3%5]) with mapi id 15.20.2220.021; Wed, 4 Sep 2019 08:54:03 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Neil Cook <neil.cook@open-xchange.com>, Eric Rescorla <ekr@rtfm.com>
CC: Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] data integrity and DNSSEC or DoH/DoT
Thread-Index: AQHVYooBJDKECJkuMUir/qngeaNI4acbNk7g
Date: Wed, 04 Sep 2019 08:54:03 +0000
Message-ID: <LO2P265MB1327015B1F8A1CCCF107B3C8C2B80@LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <06613304-C325-4BA4-AB6F-32D79DFCECA0@open-xchange.com> <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com> <F66D555F-7533-4B42-A036-016345F765A7@open-xchange.com>
In-Reply-To: <F66D555F-7533-4B42-A036-016345F765A7@open-xchange.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=andrew.campling@419.consulting;
x-originating-ip: [185.16.206.33]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a00a1cd6-cb5d-4615-55ca-08d731156ff7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2SPR01MB0021;
x-ms-traffictypediagnostic: LO2SPR01MB0021:
x-microsoft-antispam-prvs: <LO2SPR01MB0021DD7F5BB05AB0F1FF330EC2B80@LO2SPR01MB0021.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0150F3F97D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39830400003)(396003)(376002)(346002)(136003)(366004)(189003)(199004)(71200400001)(71190400001)(52536014)(476003)(6246003)(486006)(25786009)(44832011)(256004)(14444005)(14454004)(8676002)(53936002)(7736002)(6306002)(9686003)(54896002)(236005)(74316002)(6436002)(99286004)(55016002)(4326008)(229853002)(446003)(11346002)(66946007)(66476007)(66556008)(64756008)(66446008)(66066001)(33656002)(26005)(76116006)(186003)(7696005)(6506007)(2906002)(5660300002)(8936002)(86362001)(54906003)(102836004)(110136005)(76176011)(53546011)(3846002)(6116002)(81156014)(81166006)(508600001)(316002)(790700001)(46492003); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2SPR01MB0021; H:LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: 419.consulting does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1ZUdjEFeQPoS3JozwRA/6PmB/i2o23FgFU/def+DAUG77a7Rqzns5nyq2Vl4V5V02kX0eK8TmyKZbRHpYfRxY70UAOV1R3YDM70DYhLtE8cQkrkIxTwRFfx30tH4JtfZkZAjFik7prTRmmQ8ocf+VEHGbO7EimYQzkj9Io7CzepsBykjnYV5mWpYX8MMT+gorRgYiEmE5W8pz/11JlUygH7AvFJzp6eexct3zJfKUm0SKG8KNd6IO75Vh334Rv9SUAK78oTGvdGCrIzfId7lujJp9UiD+oMIukXQoa4swCERZSzEhCjPoCwwsQ4qSN6IwaLviJ8Ii0hIVnkacUSsIHSECQtOStQHdiiipwjpaObN0FeQRxV2W54pCD4vBO1Hn6g5iPm4oBAIqYvsbXC5fWwEiDOO18KfL5EIIkkDpw4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P265MB1327015B1F8A1CCCF107B3C8C2B80LO2P265MB1327GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-Network-Message-Id: a00a1cd6-cb5d-4615-55ca-08d731156ff7
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2019 08:54:03.8399 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Gf01zdkoZuUpaOj8oXQLhOnHyLqIjeUEo5Uq1jcbrTRjMIaJt9JScsWQIxb/2eHpxa8DA1oo1RC7G93KbkE4OGgpyL2Lc2peDnKQfM9Ya5w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2SPR01MB0021
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RIlktWlbvtt5R1iDbYQKrJ6fFEg>
X-Mailman-Approved-At: Wed, 04 Sep 2019 09:08:27 -0700
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 08:54:10 -0000
On 3 Sep 2019, at 15:35, Neil Cook <neil.cook@open-xchange.com> wrote: Ok yes I understand. The blocking reason wouldn’t be that useful in the general case of not knowing whether a resolver was malicious. However I think the fact that the resolver is telling you that the content is blocked is still useful, no matter what the reason for the blocking is, for the reason described above. For example in your use-case, the user would see “this site is blocked by the DNS resolver” (or whatever) rather than “TLS connection error” which would be the case today. Also assuming the resolver is “trusted” in some way (e.g. Mozilla TRR program) then the reason for blocking may then become useful I’d have thought. This would seem to be a useful addition to a trusted resolver programme, would begin to offer additional, meaningful value to users. Andrew Regards Andrew Campling MBA MSc DipM FRSA MCIM MIoD Liveryman Director | 419 Consulting Ltd | Tel: +44 (0) 7710 303010 | E: Andrew.Campling@419.Consulting<mailto:Andrew.Campling@BT.Com>| t: @Andrew_Campling This email contains information from 419 Consulting Ltd that might be privileged or confidential. And it's only meant for the person above. If that's not you, we're sorry - we must have sent it to you by mistake. Please email us to let us know, and don't copy or forward it to anyone else. Thanks. We monitor our email systems and may record all our emails. 419 Consulting Ltd Registered in England: No 11944258
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett