Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 24 November 2017 14:47 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B3D127010 for <dns-privacy@ietfa.amsl.com>; Fri, 24 Nov 2017 06:47:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.32
X-Spam-Level:
X-Spam-Status: No, score=-4.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCsuNpKZNFRl for <dns-privacy@ietfa.amsl.com>; Fri, 24 Nov 2017 06:47:36 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D878126D0C for <dns-privacy@ietf.org>; Fri, 24 Nov 2017 06:47:36 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1511534848; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-microsoft-antispam: x-ms-traffictypediagnostic:x-ms-office365-filtering-correlation-id: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:authentication-results: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=rXQ3KLjkQ7u1pPVA398Dyn6jkkQypnEtiTVQ1C mVKr0=; b=I7V811XqgSaGwIKQZn4xdKeUkVeRCBernuIoQcQQ EGtIqfFvxK+A+olLkD4JHdCUPfyKGOeW6/wPBHnDBJ3w2eALWL TWN+a6m3D/xexrI0twBi7nSPwr/GEwiu9yq4Als1v3tDfI6bL3 vDt/y4D+QI0WkBd0EVWva1bWaaCwV4Q=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp id 024a_e01f_c581ba61_52a5_489f_9a88_c0826030b019; Fri, 24 Nov 2017 08:47:28 -0600
Received: from DNVEXUSR1N14.corpzone.internalzone.com (10.44.48.87) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 24 Nov 2017 07:47:12 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXUSR1N14.corpzone.internalzone.com (10.44.48.87) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 24 Nov 2017 07:47:12 -0700
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 24 Nov 2017 07:47:11 -0700
Received: from BN6PR16MB1777.namprd16.prod.outlook.com (10.172.28.141) by BN6PR16MB1778.namprd16.prod.outlook.com (10.172.28.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.260.4; Fri, 24 Nov 2017 14:47:09 +0000
Received: from BN6PR16MB1777.namprd16.prod.outlook.com ([10.172.28.141]) by BN6PR16MB1777.namprd16.prod.outlook.com ([10.172.28.141]) with mapi id 15.20.0260.005; Fri, 24 Nov 2017 14:47:09 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Sara Dickinson <sara@sinodun.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Thread-Index: AQHTT+N/U3oS1xfLdkyJreqW4BxYC6L8YXmAgAAgqYCAAFLHgIABPugAgAAB0ICAFbs6gIAP9X8A
Date: Fri, 24 Nov 2017 14:47:09 +0000
Message-ID: <BN6PR16MB17773C32E11F7D83593905BFEA260@BN6PR16MB1777.namprd16.prod.outlook.com>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com> <871slkd66k.fsf@fifthhorseman.net> <alpine.LRH.2.21.1710301539500.31082@bofh.nohats.ca> <7709D3C3-D879-421B-B81A-7908F521B9D5@sinodun.com> <E4F9F152-ACCA-4C75-A6A4-00E10B2025AB@vpnc.org> <BFA37D35-D72A-451F-ADD3-7C464409B7F3@sinodun.com>
In-Reply-To: <BFA37D35-D72A-451F-ADD3-7C464409B7F3@sinodun.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [161.69.206.27]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1778; 6:8mbqkHo6zA5c4fqxUmfH1nGdkjqDY/TclzR3R7rBJH/D6BkmvA9z0gb8pF93zWfEVcVqIo9TpvEz2wxeGbKZYX0bxwvS7VHQVUuXL7NJ58EJmwwDUKlhIcG1yHdlFJrLhFtXqN+VHJcIODY2FAs/YCfSLhajAIwiXCV9YqLFrJuCAV2Scd/uO2d+XTXaVMAU6kw9sExPWx5bKtBlCWUNXWTYvJOcGgtfa1KskVhL//qf1H0XtzLLX0S/eyizToCs5Q2Y5cQHMC7iDxo1Vbi7ZRgexHZVZU+Cjhmc7DUa7sX5ORRrSWqKLCRDgc05joeiAVVDkWtFPHrOM89LPZg6K27j6HKvMR+J5qI1cPs9nFw=; 5:O4jYBeJ3IIwhTo5xvqHY7lZ+QKgeeJwjXsi8HYJZwpAuZagcAmWqFFlmhV8jZDAb/bhKS/Ylll+/SrgD8Bs+jDE9I40eSOqlWarKGr6Ch2O1FE7CVK04tnW35zPhJtHUDwWxVfrAvLr/6gT1JNkrEKoY3frSZqPouFY6gASgHtM=; 24:dDPEYPWtoScT8KY2A01kMZpsqgap/lYcfS/Km1OzyJj+y9K3G5T4ft8ddSFGq+R71f1nUG/c/Q29E2+OLsLqlwxd+lxBOuEbyrsJ08STerE=; 7:5FxA4WTCghWHcTDSBSsMeIGQvFxIhBqB6JFVc7DQhuqVwnEpWwPEMir7oFXlXLYPyIxDE+JQtxxenKZYsRTHQPec8OrfipceK6PunzfWoWEREpWNlDRNlLHp1FU9Rw6DjeotymMqlMVjCRKsifHr1PsBdVEAVEodn78QqKV/suvFGVLKReLYeMBZy4lfKlh/KpWVbpcMI1vkYF95WgfOoPPRN55UgZtFs1VQmpKuZrpQ+OyZLJVLm6JiRc35dVSN
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603258); SRVR:BN6PR16MB1778;
x-ms-traffictypediagnostic: BN6PR16MB1778:
x-ms-office365-filtering-correlation-id: e79c18e3-756b-4c98-dc82-08d5334a3db9
x-microsoft-antispam-prvs: <BN6PR16MB1778A577A2C6447DB39EEB9DEA260@BN6PR16MB1778.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3231022)(93006095)(93001095)(10201501046)(3002001)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(20161123558100)(6072148)(201708071742011); SRVR:BN6PR16MB1778; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:BN6PR16MB1778;
x-forefront-prvs: 05015EB482
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(366004)(346002)(39860400002)(53754006)(189002)(32952001)(199003)(24454002)(13464003)(25786009)(80792005)(2501003)(97736004)(3846002)(66066001)(102836003)(8676002)(81166006)(81156014)(110136005)(6116002)(3280700002)(7696005)(316002)(230783001)(93886005)(2906002)(53546010)(76176999)(50986999)(54356999)(106356001)(2900100001)(7736002)(68736007)(105586002)(305945005)(33656002)(8936002)(72206003)(101416001)(6246003)(14454004)(478600001)(966005)(5660300001)(189998001)(6306002)(9686003)(99286004)(6436002)(53936002)(86362001)(3660700001)(55016002)(2950100002)(6506006)(229853002)(77096006)(74316002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1778; H:BN6PR16MB1777.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e79c18e3-756b-4c98-dc82-08d5334a3db9
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2017 14:47:09.7886 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1778
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6166> : inlines <6186> : streams <1771205> : uri <2539385>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/U-wGi0QCtA-8d6Bkp32Jaopv_lM>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Nov 2017 14:47:38 -0000
Proposed text looks good to me. -Tiru > -----Original Message----- > From: dns-privacy [mailto:dns-privacy-bounces@ietf.org] On Behalf Of Sara > Dickinson > Sent: Tuesday, November 14, 2017 4:34 PM > To: dns-privacy@ietf.org > Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: > we should revert DNSSEC validation requirement > > Hi All, > > This draft is now ready to progress once a -12 version is available. I just want > to circle back round to summarise the fact that the only proposed difference > that will be in the -12 version compared to -11 is the following (in section 7.2. > Direct configuration of ADN only): > > Current text: > > “It can then use Opportunistic DNS connections to an untrusted recursive > DNS resolver to establish the IP address of the intended privacy- > enabling DNS resolver by doing a lookup of A/AAAA records. Such > records SHOULD be DNSSEC validated when using a Strict Usage profile > and MUST be validated when using Opportunistic Privacy." > > New text: > “It can then use Opportunistic DNS connections to an untrusted recursive > DNS resolver to establish the IP address of the intended privacy- > enabling DNS resolver by doing a lookup of A/AAAA records. A > DNSSEC validating client SHOULD apply the same validation policy > to the A/AAAA meta-query lookups as it does to other queries. > A client that does not validate DNSSEC SHOULD apply the same policy (if any) > to the A/AAAA meta-query lookups as it does to other queries." > > I hope I captured the consensus correctly? Please let me know as I intend to > put out the -12 (final) version next Monday (20th). > > Sara. > > > On 31 Oct 2017, at 16:12, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > > > > On 31 Oct 2017, at 8:06, Sara Dickinson wrote: > > > >> So maybe “A DNSSEC validating client SHOULD apply the same validation > policy to the A/AAAA meta-query lookup as it does to other queries.”? > > > > That could be misinterpreted to indicate that there has to be some positive > validation policy. How about: > > A DNSSEC validating client SHOULD apply the same validation policy > > to the A/AAAA meta-query lookup as it does to other queries. > > A client that does not validate DNSSEC SHOULD apply any policy it > > has to the A/AAAA meta-query lookup. > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos