[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

Jessica Krynitsky <Jess.Krynitsky@microsoft.com> Tue, 23 July 2024 17:51 UTC

Return-Path: <Jess.Krynitsky@microsoft.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B04CC14F5E4 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 10:51:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.252
X-Spam-Level:
X-Spam-Status: No, score=-7.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6C06oykUu9CS for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 10:51:34 -0700 (PDT)
Received: from DM5PR00CU002.outbound.protection.outlook.com (mail-centralusazon11023083.outbound.protection.outlook.com [52.101.64.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7387DC14F5E8 for <dnsop@ietf.org>; Tue, 23 Jul 2024 10:51:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Cn3G8qmLloYR/dZzZ3K/wKolX7/oCgAc+GcdoP7/JFCzarHzLGQZe3Wt61IW5lb3M4gMj5MiCQ1fA8MzyZw39ltEAakCDm4eBngKi7IM3aH/2HITc0TMKplSQb27BEagaT5uujk90QPPIo5nvc01IHVKWXBkIdq+bHRA8dH0rq1UsorX6bOM/iukcgMgLxbPCbKydYOIOBkcfJFrrKkaF3C6l202z9z5XzkrKeTEv92CvlZmCfq3rsGbl99tZXwmwYFePNU0FsYbvS7juntAjbhyFxIe3PzLAgnHp76pstYaxbPWSsm0xWnw9Q/m7nwui1X8JQB9TeJ/zTwqiXNGiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ynfdwp9ko5S2tEUgdD8xxA9rRgIaBR1E4F75tzHUtR0=; b=yckI7giYmPV/uJMTcWBaXUQYNlW+GRDBz6kUx5iNFqV7tYUTEoi5QRUTwhJotjEbasjBIuzbwK8B8368zlvnpZqNXi64tEX1c05PbRfYsd80MFlucZ4hDexwwU+vY72oKkiO0v+AzsmoTuUFRvD75kxWA05E02isdkXebuMj5SS4+GGEFoNSdnJyGn5ZgUiWkpPo1WVRm2/FUge77BbHjxhbW5wE2/hnQmX3XDkoyVdMTtsjai0JEU+YmwKKJsydvljRn/dkFjjMjy59XxpNuwcnQs5us7dWqe3QI6U2S8T+ybKlt4/6kRwaWz0WJTmWgdhMCqjiDGCzRb+TOTkuPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ynfdwp9ko5S2tEUgdD8xxA9rRgIaBR1E4F75tzHUtR0=; b=Ra+9JY1okkl4W0TIiZBbDrfkoY2CYXMasOGvVV+vUnOscspinsCbyOxIAvpzmU61SGVzyFrWNHNdcEY58zr08pU9YYQrpGTh+ie2QNLqrNhBJe7/xFeZ2Gz7Jvz7XB9ihyI20wXoYr8m7c4rlp3zdlVuwr1Ld/Nes17+Hpl9oRQ=
Received: from BL3PR00MB1404.namprd00.prod.outlook.com (2603:10b6:208:33b::7) by IA3PR00MB2064.namprd00.prod.outlook.com (2603:10b6:208:50b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7688.0; Tue, 23 Jul 2024 17:51:27 +0000
Received: from BL3PR00MB1404.namprd00.prod.outlook.com ([fe80::4801:a8e0:3d3e:a89a]) by BL3PR00MB1404.namprd00.prod.outlook.com ([fe80::4801:a8e0:3d3e:a89a%4]) with mapi id 15.20.7839.000; Tue, 23 Jul 2024 17:51:27 +0000
From: Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
To: tirumal reddy <kondtir@gmail.com>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Thread-Topic: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Thread-Index: AQHayMBgTf0JrWdgwE6kW5m4O7C5jrHb8bmAgChAl4CAAIwfRQ==
Date: Tue, 23 Jul 2024 17:51:27 +0000
Message-ID: <BL3PR00MB14045263AA3CC72DE52BC5CF92A92@BL3PR00MB1404.namprd00.prod.outlook.com>
References: <171951314842.227.16506719010762251285@dt-datatracker-ff7f57fbb-ch6dm> <SA1PR00MB1344B00639280305247F898FFAD72@SA1PR00MB1344.namprd00.prod.outlook.com> <CAFpG3gfPnZnMFCWNfXabd5v+hRG=ixymQ=Yu5u1oDcTTgXiK5w@mail.gmail.com>
In-Reply-To: <CAFpG3gfPnZnMFCWNfXabd5v+hRG=ixymQ=Yu5u1oDcTTgXiK5w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-23T17:44:29.2844423Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL3PR00MB1404:EE_|IA3PR00MB2064:EE_
x-ms-office365-filtering-correlation-id: 2caac2b3-f6a7-4092-07e3-08dcab401373
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|4022899009|1800799024|38070700018;
x-microsoft-antispam-message-info: cuvX5/rrv4tkdErSijLRgXg3u7ab0/OaQDgD7Upkwoi27BhzjUF+lV/anxi7tElgFfgtuuYdVjK2Oo7+eShuxCSlPFV58qLf3pxO+Oq4f5I6ha31B94lg1+rlh8zxc9grlpHUh+YVBYUf4QlItf7rsBGH9mifjYLu0vCsdyjx6taYqMjUTlR4ILcqf3ZCFKgtn5PBOY+nMGSvFFXJ+i++MkfciahlQe2JJIbITRBHV/CIogEm0UeaKGbDHKI7jEGBYEh3ik7n4H0SAvctaasjvtd/deMo8mmsyVWHOLoA3kuTGB1dDJm+Pf3m/atWsvvBgHivOhQ8SEyRY3MINb3cFO2c/AicC43XIVjoKVqz81JHiz+ARXmFv6hbM2DDbACOAl43ofcB4kDqei1IbMXZBwxEOGWbMNrcNrblwEBD8eDJHbQpVZbNy3VarIzDyajedi3MiiS2KaojizTkzSdZHzHvfsZZE6LExDLhrhzD1SFOVHRkHKhoPsD2tfA6JPG7xjhfwZR3t0ry8MYVNDV4lsOswwaBrzgPt5OyPzUDcQ47cJq3deD3nW+PEi0czG1BTHecfRgKmUxek5e3N+klDjpioZQkPeLsRxsEZh5nSJBu+fKS5r5ulF3tW3V6flZi9i4IXYazR6vcLzN4hnl8FxHSpd1qTxrmOysrLPp2GQaj7u21XvpKEhzQPLA8oLF8xws3J3nAp2e+3K7z46qbZbz/zlJrDE2vXBjd6OvQ4dnqPmXI7YkzdzK/PUvEJcTu4act/B60/6lgyeSbBVO7tpal2YYuLQTSfqPjL4I7YevsdiYi0pT1fRAAe0VKEt+NdntW3e+HaUQ1Bkvo8EiHY5SCITVDRsmmULQ09+pnGaEKld6izxfY/9uYlB9/NRYyAhIygv5nkyEhthDLE2wR6zgNmI2ExRkdeypG0ojFkD2p5c9h5zItB6dkySGizR2TVqbcpvBfTdpQ8KoFjMEYsmZRnJChpFB0JPt+Mw9ZnOzdiCMvNblm7c+sTviFrrqAZorqcr98B7dSjjnslEhm3wo3kU2Pyc4dLThtthLVZuo1NKl8pPeDve3g2TvOEPqVgxNZVWOTbrDEeUuSKCGtPqgY8C6933sWlM1orQHiTBc5tGWDaNHr+0dsMxEKRtLhhuPFytbzHJew9Mz437RzJRj9ylLC9VrxhOgAgwmu2jEnIThFDKa7jsp4xtea7rANgq6XuwoH4rNF3+7i9XOjT7BS33j7dGnXZpxF+VbZhWN5pnldubrltSlOGPbO1J+kLa9Q94N6u2NNEEucpfVPL9ZLWGUuSn+K6mwzoAzNnS9v0XTmniQ34o2ghUyxOu/7xW9dbwkHjK+HvpWo+2zVBrOW9vKcUVBNBKQAr0uK7c=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BL3PR00MB1404.namprd00.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(4022899009)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mKNpcmynTSu7t6ossILanczfOl+lTu76ohH6SG4fdSACPQLFqpuaxWUvbirIOhKJu4rKqMj+Cyxgxetm8xIOH1iWcGzJIbvQ7qyjcOvvEAFRjxX1P+MRVDZNUKX6MiYPhBKK0Hardk2v0ITQpSIVs6l+KCW/X2Z8bROEmxCQJkg7hq4V6o3SiV94RTq9FqNmuII61i8fHAYMCftQUPaMjYaI1GW2AkE08E6vjaVVDXZ3vbIyy6DnngO95Hq/6VzgN35ReqnGdMErWxkrSvdTYOH8pesrEEKq+wMWJXQhFN5oYgcTw7PDknAIR7Tf8iu16D3tNWr8XmuCF0eZvWzxGgS9dpw9820TJ/6veXDMbhFG6GHR90wQc+QAO/MPs8EG9IBQ1twj0ymJ4flTWlnHzCvQZA0AmYDHA8+rJj7tBVVllCpOXNniiCCF3J1Vrt1zsZPag+P8RJ/o4CDjb0OgwgW18MSFWrINoxkrv9k0fL9evhLL4NVnbwqE1POr/uIWq/XKzR0tOKo7/BP+Q6qwi+p3iESChwdwxm8tgspeH+NMg7QTVKLZBVXXl4eZT/5z4w5Byr8DH/2RxCGgrSd6HpI/YvtQq41tBTbMo+FQw9Ax3SKvx7jH9Et4OnZyfm2uVrOq+oihyAF6wAz37ES9IgDwthuR0xZzKOWTBgFoWcJ8M+lm9UHC8PgJSCpBivi0CdgVZHjpneMA2HWvHjVTxZnmgQS3gXF+ZV/QNdbM3aYuneK6Yv/Sm5DX74PS00zEVSY1TBtiyHcbTLzH++RbCuY1d/3HtJOo/EFcwrC0nXVDdpf9zUMHIsFBJap7zdbQQfWFmTsJwz4rsfS48Kau1heRS1StutKx2o7AZ7dUK6T8GY1cGbSlrjoa3l0IPYDYXB8OY3PVvWYcSg+M1zoFYRFvH6SYJQ5XchHQOGg5lDW+fZ98dmuh3sSzAs0Dj/EnSxZUihoJyowaKyim+G2JUyOdm2QkXorraltLGQN4pEYjdi40Zjp534Y33jkA5IfAiLTucIjXq83EEK2LAywLtEB65jkWhEa9dMXdMwP00D2YIAe4RqPsjxxKlgJg515KnKV9A93BpNuJ441ks4/XohbIPwqr38G55gt5N7fpPJDbo6Ywx7jVcS1muFJ2S7bafwdV9VlkSoMEBcQzUYR5RVn7LPcouUZlpt6/I756xiRiMcBQZkhofYlfJB/uA4vW0um91YTrr0pWfRM/Bq948tO9RPxXygcnvO3eFpMbdA5QHzwPqi5o6g4cbZC1w96BCF4t5T1D6iYIMeyTiNW0UJHlezwdnkpowbPWZUltwgHcPhqxYT2bH1JznFD46w6XFloe8CkK+2xwoctNGd68l7t0Rkqh7rf0NUX6gUzdcCVVqPksxrbEdZnyGMjfEqthjUf2UIybZ6U2QzyGeFwftwaBhpenyCLJ/zt/tEV9gD5f0gNg1ogdX8ZxXdXZJ87ff5Gssuf+5iab/utWBVgAAh9wvunH7ajeaWoehapPK3VGfiB/jgVLAt397CivBpBdKvF3eb+S6HLCx31wmgj2SA==
Content-Type: multipart/alternative; boundary="_000_BL3PR00MB14045263AA3CC72DE52BC5CF92A92BL3PR00MB1404namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR00MB1404.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2caac2b3-f6a7-4092-07e3-08dcab401373
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 17:51:27.2083 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z2Ysvc5wLEIW5gPNPqjvSIFRD4V3a6NM1q83nIW4q8CW+7n2G8QoYSdl79Ir47Vr+EtIk+sC1aWBwzHKRAVQYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA3PR00MB2064
X-MailFrom: Jess.Krynitsky@microsoft.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0
Message-ID-Hash: PUCTTYM7NEKN5AEBANSFHOZKTEGZ6AYB
X-Message-ID-Hash: PUCTTYM7NEKN5AEBANSFHOZKTEGZ6AYB
X-Mailman-Approved-At: Tue, 23 Jul 2024 13:56:53 -0700
CC: dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eythGVu6MCMzp2IE4fLZepWJaDQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Tiru,

I agree, and the need to be able to enforce an organizational hierarchy was one of our early requirements as well. Our thinking was that with mTLS, the organization could naturally use PKI to represent this structure (although I will not pretend that OAuth cannot do this too). With client certificates authenticating over TLS, these certs can represent a client device rather than a user identity, and this is largely up to the implementer/organization/network owner to decide the details. We viewed token-based auth as more strongly tied to user identities, and potentially a higher barrier to entry for small organizations which may already have PKI and associated policies.

Thanks!
Jess
________________________________
From: tirumal reddy <kondtir@gmail.com>
Sent: Tuesday, July 23, 2024 2:22:59 AM
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>; Damick, Jeffrey <jdamick@amazon.com>; Jessica Krynitsky <Jess.Krynitsky@microsoft.com>; Engskow, Matt <mengskow@amazon.com>
Subject: Re: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

You don't often get email from kondtir@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
In enterprise networks, DNS services typically enforce policies at the organization and user-group levels, rather than at the individual user level. DNS filtering is generally not imposed based on individual user identities. It would be interesting to evaluate other possible solutions that could enforce security policies at the organization and user-group levels without revealing the end-user identities to the DNS service.

-Tiru

On Fri, 28 Jun 2024 at 00:12, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote:
Hello dnsop,

Not to distract from the "should we deprecate DNS64" discussion I started after proposing updates to 7050, but this is the second draft (last one, I promise) I'll be proposing to this group as interesting work ahead of IETF 120. Joining me are co-authors Jessica from Microsoft and Jeff and Matt from Amazon.

In light of enterprises increasingly using encrypted DNS for their own "Protective DNS" resolvers, we are proposing best practices for when and how to use client authentication with encrypted DNS. Since this is a Good Thing for enterprises who control both peers (stronger security for client policy application and security auditing post-attack) and a Bad Thing otherwise (privacy violations for the non-enterprises cases common to consumers), we feel there is a need to specify when implementors should or should not use it.

Spoiler alert: we prefer mTLS as the ideal authentication mechanism. I'll let the draft speak for itself as to why. Feedback and discussion is welcome.

Thanks,
Tommy

________________________________
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Sent: Thursday, June 27, 2024 11:32 AM
To: Jeffrey Damick <jdamick@amazon.com<mailto:jdamick@amazon.com>>; Jessica Krynitsky <Jess.Krynitsky@microsoft.com<mailto:Jess.Krynitsky@microsoft.com>>; Matt Engskow <mengskow@amazon.com<mailto:mengskow@amazon.com>>; Tommy Jensen <Jensen.Thomas@microsoft.com<mailto:Jensen.Thomas@microsoft.com>>
Subject: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

A new version of Internet-Draft draft-tjjk-cared-00.txt has been successfully
submitted by Tommy Jensen and posted to the
IETF repository.

Name:     draft-tjjk-cared
Revision: 00
Title:    Client Authentication Recommendations for Encrypted DNS
Date:     2024-06-27
Group:    Individual Submission
Pages:    11
URL:      https://www.ietf.org/archive/id/draft-tjjk-cared-00.txt
Status:   https://datatracker.ietf.org/doc/draft-tjjk-cared/
HTML:     https://www.ietf.org/archive/id/draft-tjjk-cared-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-tjjk-cared


Abstract:

   For privacy reasons, encrypted DNS clients need to be anonymous to
   their encrypted DNS servers to prevent third parties from correlating
   client DNS queries with other data for surveillance or data mining
   purposes.  However, there are cases where the client and server have
   a pre-existing relationship and each peer wants to prove its identity
   to the other.  For example, an encrypted DNS server may only wish to
   accept resolutions from encrypted DNS clients that are managed by the
   same enterprise.  This requires mutual authentication.

   This document defines when using client authentication with encrypted
   DNS is appropriate, the benefits and limitations of doing so, and the
   recommended authentication mechanism(s) when communicating with TLS-
   based encrypted DNS protocols.



The IETF Secretariat


_______________________________________________
DNSOP mailing list -- dnsop@ietf.org<mailto:dnsop@ietf.org>
To unsubscribe send an email to dnsop-leave@ietf.org<mailto:dnsop-leave@ietf.org>