Re: [dane] An AD bit discussion

Mark Andrews <marka@isc.org> Thu, 27 February 2014 04:29 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65F7F1A0284 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AN6o350rw3WZ for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:29:49 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id E7DC51A027A for <dane@ietf.org>; Wed, 26 Feb 2014 20:29:49 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 779BBC9424; Thu, 27 Feb 2014 04:29:35 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1393475388; bh=mqqjbE3n21NhhN1LaJoiqHOu3KW2X4lcLhceLe2BdJI=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=mluFrTfcO3kHARWd98TiUFJvkkPDWlyopCUQ1mzQSxc8L6oLc2ZGZvSACG6roHonZ K71RJG8Ru3YbonYIDWQ66WTgJ7ZgdVx6MZNUN94MT1pDjlv7cukPz8FXT3hOXXjSAd i1ifrF16H6jj8aEY6/4gIg6Kvk51euQr6ymSDK9c=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 27 Feb 2014 04:29:35 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 345BA16004C; Thu, 27 Feb 2014 04:30:28 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 03CA016004A; Thu, 27 Feb 2014 04:30:28 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 15C4610785F3; Thu, 27 Feb 2014 15:29:33 +1100 (EST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Mark Andrews <marka@isc.org>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <m3txbly9ui.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org> <20140227042335.GA1726@mx1.yitter.info>
In-reply-to: Your message of "Wed, 26 Feb 2014 23:23:35 -0500." <20140227042335.GA1726@mx1.yitter.info>
Date: Thu, 27 Feb 2014 15:29:33 +1100
Message-Id: <20140227042933.15C4610785F3@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/RGyapIeP_fJEByvHdvLkG2eFc7Q
Cc: dane@ietf.org
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 04:29:51 -0000

In message <20140227042335.GA1726@mx1.yitter.info>;, Andrew Sullivan writes:
> On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote:
> > I walk into a coffee shop.  I get a address.  I manage to get IPsec
> > running between the server and myself because both ends are configured
> > for opportunistic IPsec. 
> 
> What does that have to do with the deployment scenario I was asking
> about in the Microsoft case, or the one I understood Paul to be asking
> about?  Those cases are entirely to do with managed infrastructure,
> and the question is, _if_ you have that kind of managed infrastructure
> scenario and _if_ you accept that someone could subvert your
> management model (but you don't care because if they can do that then
> you're screwed anyway), then is there any value in the AD bit?  I
> think the answer is, "Maybe," but we're never going to sort that out
> if people persist with arguments about scenarios that have nothing to
> do with the one under discussion.
> 
> Yes, you should not trust the AD bit from random parts of the Internet
> or opportunistic IPsec or whatever.  But that's not the case we're
> talking about, I think.

s/coffee shop/BYOD and access to the AD DOMAIN resources/  

Should you still trust the nameservers to not corrupt DNS responses?
My answer to that is NO, by default.  If MS have the machines configured
to do that by default they are leaving the owner of the machine exposed.
 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org