[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

tirumal reddy <kondtir@gmail.com> Tue, 23 July 2024 09:23 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD89AC17A743 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 02:23:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IYQf4mjrHYX for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 02:23:38 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92031C1CAE6C for <dnsop@ietf.org>; Tue, 23 Jul 2024 02:23:38 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2ef18ca13f2so5978161fa.3 for <dnsop@ietf.org>; Tue, 23 Jul 2024 02:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721726616; x=1722331416; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gPlrXco8bVRA97VdxwkXi/vl/UAabjaB8kD+7/71Gbc=; b=klOhNJ3gJL6Y78WTpVwvFxH7zAP4R6A7+49INisb+7Dw0R0XX4kGs38iVCYMP8qshZ oLNUzgeQveNq5UjlZMq9Tc1Ohhh4M+yPHSIEyoXWtik+3WVbHLfG5ZQcpz9F2BBrQ1ZS gNxEr0tQYjgUWr/BxslXtMIVrv56GDvek79UdPLep/mVRqfI1M7uSbeeBY0adDD2CcJ7 AQDags4FisSub9FiA82COrTOQaSFe6nXeN4GiUwF7ggzrqdahWSYWh4vsAXryOuZwH4u ns1+XvPIaPwMLjR55rEFfDQsbhpY3ct4fcQkDpgWSksPirIW5DwmQSf69wPoZJGwvufW vJgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721726616; x=1722331416; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gPlrXco8bVRA97VdxwkXi/vl/UAabjaB8kD+7/71Gbc=; b=Kt7ho5z3OFxRcZgwjlrGbYCIm2fumwdptLfc8KyP5zaPRVEIqd2q6wl/AKbHkd2PIZ 32SiMcopUd/Z0a+GyW8qvb68QlPw/dEHdsYjIFrfdo437Zmjp3fEbKF/r1bdlMSAedat WF1YKP5r6XTe9hhNN1TYwlpIi1x9BlDOAKKiUeowZauO6DH4xvQt2HFOQvc/pMNqSfQZ C5C/9B03huxzdkNQ4uiKWpLC8ceEZ6esq6LOYtdGgk+tuv9jgZg0nBQJ9N51+nNRh+gO jsSOkfm/NLTgCwyAKIVRzLyLNxq5XqsHRg/MzxlnDGUbdidhUcDzSW+NHR5DHUNRcxta uZlg==
X-Gm-Message-State: AOJu0YwxDPkpyVKcFijlVjz1kOYmN5566lD3eAyASQ7Uu43GFoa7Xh3q gffx0ihC4HjswTzfV/Tc/8sBZpYcvLiXFk++2lIYL//R9DitpR2DYYo40wyH1/r8kuHzV5f0Naa AIHF69GOH81AYx0TvqSUDYWjWSMI=
X-Google-Smtp-Source: AGHT+IH9jE6jCKrEsTbvVHPcz9yzsLe/dFXXwrcyewAudaewIVlTu9bMeFZsLpgYqwCbAnglRHKfNHNjRfT0/PkdUjs=
X-Received: by 2002:a05:6512:2828:b0:52f:cad0:2d4a with SMTP id 2adb3069b0e04-52fcad03262mr287604e87.9.1721726615998; Tue, 23 Jul 2024 02:23:35 -0700 (PDT)
MIME-Version: 1.0
References: <171951314842.227.16506719010762251285@dt-datatracker-ff7f57fbb-ch6dm> <SA1PR00MB1344B00639280305247F898FFAD72@SA1PR00MB1344.namprd00.prod.outlook.com>
In-Reply-To: <SA1PR00MB1344B00639280305247F898FFAD72@SA1PR00MB1344.namprd00.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 23 Jul 2024 14:52:59 +0530
Message-ID: <CAFpG3gfPnZnMFCWNfXabd5v+hRG=ixymQ=Yu5u1oDcTTgXiK5w@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000058dbb6061de6b7b2"
Message-ID-Hash: SMHITRQNYZF2MPWXBY4DWUPTDGK7QBND
X-Message-ID-Hash: SMHITRQNYZF2MPWXBY4DWUPTDGK7QBND
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>, "Engskow, Matt" <mengskow@amazon.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BkOyYmB8Eb1Qdn8AjA-2RNsZbTY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

 In enterprise networks, DNS services typically enforce policies at the
organization and user-group levels, rather than at the individual user
level. DNS filtering is generally not imposed based on individual user
identities. It would be interesting to evaluate other possible solutions
that could enforce security policies at the organization and user-group
levels without revealing the end-user identities to the DNS service.

-Tiru

On Fri, 28 Jun 2024 at 00:12, Tommy Jensen <Jensen.Thomas=
40microsoft.com@dmarc.ietf.org> wrote:

> Hello dnsop,
>
> Not to distract from the "should we deprecate DNS64" discussion I started
> after proposing updates to 7050, but this is the second draft (last one, I
> promise) I'll be proposing to this group as interesting work ahead of IETF
> 120. Joining me are co-authors Jessica from Microsoft and Jeff and Matt
> from Amazon.
>
> In light of enterprises increasingly using encrypted DNS for their own
> "Protective DNS" resolvers, we are proposing best practices for when and
> how to use client authentication with encrypted DNS. Since this is a Good
> Thing for enterprises who control both peers (stronger security for client
> policy application and security auditing post-attack) and a Bad Thing
> otherwise (privacy violations for the non-enterprises cases common to
> consumers), we feel there is a need to specify when implementors should or
> should not use it.
>
> Spoiler alert: we prefer mTLS as the ideal authentication mechanism. I'll
> let the draft speak for itself as to why. Feedback and discussion is
> welcome.
>
> Thanks,
> Tommy
>
> ------------------------------
> *From:* internet-drafts@ietf.org <internet-drafts@ietf.org>
> *Sent:* Thursday, June 27, 2024 11:32 AM
> *To:* Jeffrey Damick <jdamick@amazon.com>; Jessica Krynitsky <
> Jess.Krynitsky@microsoft.com>; Matt Engskow <mengskow@amazon.com>; Tommy
> Jensen <Jensen.Thomas@microsoft.com>
> *Subject:* [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
>
> A new version of Internet-Draft draft-tjjk-cared-00.txt has been
> successfully
> submitted by Tommy Jensen and posted to the
> IETF repository.
>
> Name:     draft-tjjk-cared
> Revision: 00
> Title:    Client Authentication Recommendations for Encrypted DNS
> Date:     2024-06-27
> Group:    Individual Submission
> Pages:    11
> URL:      https://www.ietf.org/archive/id/draft-tjjk-cared-00.txt
> Status:   https://datatracker.ietf.org/doc/draft-tjjk-cared/
> HTML:     https://www.ietf.org/archive/id/draft-tjjk-cared-00.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-tjjk-cared
>
>
> Abstract:
>
>    For privacy reasons, encrypted DNS clients need to be anonymous to
>    their encrypted DNS servers to prevent third parties from correlating
>    client DNS queries with other data for surveillance or data mining
>    purposes.  However, there are cases where the client and server have
>    a pre-existing relationship and each peer wants to prove its identity
>    to the other.  For example, an encrypted DNS server may only wish to
>    accept resolutions from encrypted DNS clients that are managed by the
>    same enterprise.  This requires mutual authentication.
>
>    This document defines when using client authentication with encrypted
>    DNS is appropriate, the benefits and limitations of doing so, and the
>    recommended authentication mechanism(s) when communicating with TLS-
>    based encrypted DNS protocols.
>
>
>
> The IETF Secretariat
>
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>