Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
Tommy Jensen <Jensen.Thomas@microsoft.com> Wed, 17 July 2019 00:40 UTC
Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00AB1120131 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 17:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObQkZy4FdBG6 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 17:40:27 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800114.outbound.protection.outlook.com [40.107.80.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 919161200C4 for <dnsop@ietf.org>; Tue, 16 Jul 2019 17:40:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CaNzox2Zc7c3qI5mIsgogDaIdzdoHhMdLM0CPvXuJLN249nhcHWfxSzbTus1rhbHo6xjBz/EMLbvB9mJuuKREZKrTRJL+E2Az5A0zch55mOzxm/EZDQonUXs5s8U5mgO4AnqFX16yychKOAKBAeP8SnIIHf32fVLK75zfQiCQBWsrd5RKbR+aCEAvojZEY6Mw44FM5S3hBS7RE21HcsUsMEBSxJgEMxX4QlVzy7cIsXFVwNZThzHYnaGQXO+5WBTLpg8lpqQF6LWPVtYJzrJqZ55uv/4QfuLhQFcIvCXQy9slVffFCte+cSoW12OI6XnZt/SFnhBWPG/g4H77bibfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RKq0yNUbxn13i0H67ks5pljOJjAvhIaWIpkelrVTXkU=; b=gv0Zu3e8uv5EV2ZpP2zelszgSK8mKT+i8YR4HkVFxziQwcr2P7k3s2bPc1tkXAfnynFc4YObEjFQYaIIlkMlqw7Zr6xRSaBF6Lr8fHRyUSQs9eikf01DYyXXTeqT18atv+5XdE2hCBW7qDPI8lHoLJkEYEVXJp2nl3JlU1GfAQOafMbZpKXvtCup/WfzAb41VtFCfpCQqaeqRFoxVTUxF1UZWFK6cjG1p8hWmJoQga19eT8dhgiOs8eZ7JmMSbCGnK7L2mQbF70iitjATptwF29eEvnTh+3cVVQsajo3JG7Xruki4ypvfMzOoiSgOQru4aZ9PprM1/dcHLySsrXdMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=microsoft.com;dmarc=pass action=none header.from=microsoft.com;dkim=pass header.d=microsoft.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RKq0yNUbxn13i0H67ks5pljOJjAvhIaWIpkelrVTXkU=; b=Bube8lnsNBbs+QdPq+BWcptDGIKo5lUt/x4VngP9n1mGitUeps3lh8Vi9fqT6Cx2QU5yEetymZAGVNaORqzW+BDhjjwejVIcGtMNrNzZm+ES6YyylfwX+ZWLRIui5SIT0gE7NaEZjHXYLNiTWcfYhUk7hqwDxctR0aSFRQntM6k=
Received: from MN2PR21MB1213.namprd21.prod.outlook.com (20.179.20.141) by MN2PR21MB1165.namprd21.prod.outlook.com (20.178.255.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.1; Wed, 17 Jul 2019 00:40:25 +0000
Received: from MN2PR21MB1213.namprd21.prod.outlook.com ([fe80::57a:a9b5:cc01:d573]) by MN2PR21MB1213.namprd21.prod.outlook.com ([fe80::57a:a9b5:cc01:d573%3]) with mapi id 15.20.2115.002; Wed, 17 Jul 2019 00:40:25 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Rob Sayre <sayrer@gmail.com>
CC: Eric Rescorla <ekr@rtfm.com>, dnsop WG <dnsop@ietf.org>, Paul Vixie <paul@redbarn.org>
Thread-Topic: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
Thread-Index: AQHVOpkwV+Ph9EMorUedduswrT8NVabK5aqAgAAB5QCAAAUdAIAABOoAgADZPYCAANP0AIAApEIAgAAjGACAABnLkIAAA7QAgABvQoCAAALuDw==
Date: Wed, 17 Jul 2019 00:40:25 +0000
Message-ID: <MN2PR21MB121397079215D92B82999645FAC90@MN2PR21MB1213.namprd21.prod.outlook.com>
References: <CAChr6SyVmgMpD6Cd=m2Z03nts-Bv9ZVgJkG8oaj_jzwYMUZuCg@mail.gmail.com> <3220557.rvQTihJl8x@linux-9daj> <CAChr6SyM3LSgAdu5+SJGq-n=+AZc7M44BVSru_EZgf9svBHo3w@mail.gmail.com> <8499859.s69PqOT0jb@linux-9daj> <CAChr6Syp4TR2HRy6ehn2rduuPQepADD=2Jj45ba5ncG52i9vYA@mail.gmail.com> <CABcZeBOi2g3X3oSuWuSzUWxTwSCG=auxVzjy+aJEKemVZU7W9Q@mail.gmail.com> <CAChr6Swy76TV=w4sn0VBns1U912rBjYS+DVpR46jPVU6E879fg@mail.gmail.com> <BN8PR21MB120256255A71749066FA7671FACE0@BN8PR21MB1202.namprd21.prod.outlook.com> <CAChr6SwLntKYYPw5e8EerUaj3U_tGoVoRkNu35nmvrdp6ZDnZw@mail.gmail.com>, <CAChr6Szm9q1japfxLMVDEt7LN8bR7EKczL0_qVwowmmq87M7dg@mail.gmail.com>
In-Reply-To: <CAChr6Szm9q1japfxLMVDEt7LN8bR7EKczL0_qVwowmmq87M7dg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jensen.Thomas@microsoft.com;
x-originating-ip: [73.157.47.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ae09d67-dfac-404c-b1a3-08d70a4f5bc3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:MN2PR21MB1165;
x-ms-traffictypediagnostic: MN2PR21MB1165:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR21MB11656FD15A5F715E33A91F92FAC90@MN2PR21MB1165.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01018CB5B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(189003)(199004)(5070765005)(66066001)(99286004)(71200400001)(68736007)(14454004)(71190400001)(6916009)(10290500003)(8936002)(486006)(22452003)(606006)(478600001)(19627405001)(105004)(8676002)(256004)(14444005)(476003)(11346002)(7736002)(53936002)(4326008)(446003)(66446008)(66556008)(76116006)(54896002)(6306002)(10090500001)(64756008)(66476007)(8990500004)(6436002)(52536014)(1411001)(66946007)(26005)(33656002)(55016002)(5660300002)(9686003)(74316002)(236005)(86362001)(76176011)(7696005)(54906003)(81166006)(186003)(81156014)(25786009)(316002)(6246003)(53546011)(53386004)(2906002)(6116002)(102836004)(3846002)(6506007)(229853002)(336705003); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR21MB1165; H:MN2PR21MB1213.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: P217llwkMSLgR/o5seYbOHMTHTvUeizQF+jU+9liJPllaDNhehaKlTDPojvxZga0aqsX8uiNmnUwUlSG+ted8BGuM5M3jPa+HQjghcp/sTfcHhdHlGptROdNpo/oFbZB+j6srs3bY2//QcZMtFLxFUI36Sjm/Qt3qw14ap0dFbF+9XLVIKjDmJ15aQ8m86jLLaL20yalb6Rh95vgHBgrXkq/TNcBaAifWt3zVXa6PTZTFjM6/Rx8sQi61XwDqnn8SjM/3q4W3S7KzGVUSloSmNTyr/hDFxf5Po83yt+Jix9scZ6bJus3lf4PJvSiTNIvVzQ5P3CSuFSUzVLRMSCOOe0lKSXj423u1gVtNe8BP4ijqfB3XkuRXNv5VHsB6NLnurGQM0OcwsWH198AWVUycTMSdp/zLBPdBOSKrzMa84s=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR21MB121397079215D92B82999645FAC90MN2PR21MB1213namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ae09d67-dfac-404c-b1a3-08d70a4f5bc3
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2019 00:40:25.2671 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tojens@microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR21MB1165
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sc2TYB7A8kb_Hk4pHqNCtZzhBIA>
Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 00:40:31 -0000
Some reasons I can think of off the top of my head: * Because emails aren't always opened within the safety of corporate controlled networks (where DNS is controlled) * Because security systems should always have fallbacks * Because such a service can be sold to other companies who aren't otherwise interested in hosting their own DNS I don't understand the point you're going for here, or how it relates to the draft in this thread's subject line. Thanks, Tommy ________________________________ From: Rob Sayre <sayrer@gmail.com> Sent: Tuesday, July 16, 2019 5:10 PM To: Tommy Jensen <Jensen.Thomas@microsoft.com> Cc: Eric Rescorla <ekr@rtfm.com>; dnsop WG <dnsop@ietf.org>; Paul Vixie <paul@redbarn.org> Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00 Hi Tommy, I also noticed that your email client rewrote the link to "The Register", a site that everyone knows, which then linked to NY Times, etc. It used the domain "nam06.safelinks.protection.outlook.com<http://nam06.safelinks.protection.outlook.com>". Why would that domain be necessary if DNS-based security worked? thanks, Rob On Tue, Jul 16, 2019 at 10:32 AM Rob Sayre <sayrer@gmail.com<mailto:sayrer@gmail.com>> wrote: On Tue, Jul 16, 2019 at 10:20 AM Tommy Jensen <Jensen.Thomas@microsoft.com<mailto:Jensen.Thomas@microsoft.com>> wrote: The link you shared indicates the problem is RC4, which was removed from TLS in 1.3 for this very reason. This doesn’t demonstrate TLS 1.3 is vulnerable; it demonstrates why adopting TLS 1.3 is so important. Yeah, that's one part of it, but some of the other approaches described are more general. thanks, Rob Thanks, Tommy ________________________________ From: DNSOP <dnsop-bounces@ietf.org<mailto:dnsop-bounces@ietf.org>> on behalf of Rob Sayre <sayrer@gmail.com<mailto:sayrer@gmail.com>> Sent: Tuesday, July 16, 2019 8:46:42 AM To: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> Cc: dnsop WG <dnsop@ietf.org<mailto:dnsop@ietf.org>>; Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>> Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00 On Tue, Jul 16, 2019 at 6:41 AM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote: The certs are public information, so having the certs isn't useful. Can you please be clearer about the attack you are describing? Sure, here's an article about it: <https://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theregister.co.uk%2F2013%2F09%2F06%2Fnsa_cryptobreaking_bullrun_analysis%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C51ca900221824198518208d70a4b34bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636989190436279112&sdata=5qVj7tNPQMSYuYKmPILW7Uws6JCtLXucxz3CbATL3Cs%3D&reserved=0>> Do you have any thoughts on that? thanks, Rob
- [DNSOP] Fwd: [Add] new draft: draft-grover-add-po… Andy Grover
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] [Add] new draft: draft-grover-add-pol… David Conrad
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andrew M. Hettinger
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Peter Saint-Andre
- Re: [DNSOP] [External] Re: Re: Fwd: [Add] new dra… Andrew M. Hettinger
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andy Grover
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Alejandro Acosta
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Paul Hoffman
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre