[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Tommy Jensen <Jensen.Thomas@microsoft.com> Thu, 27 June 2024 18:41 UTC
Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D218C14CF18 for <dnsop@ietfa.amsl.com>; Thu, 27 Jun 2024 11:41:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.254
X-Spam-Level:
X-Spam-Status: No, score=-7.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLH-aVKE-n-B for <dnsop@ietfa.amsl.com>; Thu, 27 Jun 2024 11:41:28 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on2118.outbound.protection.outlook.com [40.107.64.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2BCFC14F600 for <dnsop@ietf.org>; Thu, 27 Jun 2024 11:41:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AlIKHNfO1rsMNciqB5TRUEVhBtwoxJ27Gn/05ykY2Y8zTzFJHFODVsSOTvdLIyUQBRE1Swn0yHy9gC+Lxao+d+1I9bPbRs3zu6Id51ZTKCYQKMMlYjDC6XtTkIqMy9BJwLFJbEXaLfjsAyVvpOUV00Ksr5g15apFO1Ez2A0UgWaa8HrY1lwUIovKl8Tlokf5JaNNaKgid+pJKvCWlCjfwQ+NoqXKdvu4EV0rpo908vqumLqGoasdpU7X0VU0yUf6WJ416oes0+MLEcZZnUh7ySPgLET+SsuTyrX9nsDGl4De1Hg2ffBeVY+TgKndoC58m8eEoZT+rBo5pD7jmXRfyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N5oYhCA6Vq7tMd9v3/3Stllu6AQAoYXqAQkeGeTmkS0=; b=nnt2DltNGHPMzSXkI3sVgs9UOtqaMkD1vx0Ngs+CQjniNW7Lv7O5ruE+Rl/j5xpM/i6eIE9PGnLvxBLkj3py2X9hnFdc0uFCVzzxkT6wdtgR88VD9jKdzbcIwJfMpKO6cqCqrafieCKdBWzneBA+aSymyQlXnRh3FMf+O38DBZtyaA782/iXNPgoNilXr8RydZrvMSr2A3iEcc42vCiEffQeygjoesfybo753s9FGDk6cieuXFGh7SW4Ligj2GmRR6rr+1SKy0tk6N3QQ4OcSvVVbaFgLlz362Enz4cS7gbYfQBeGpPvYwbz2xdB+zypdnleVKZ690lBOjLe2aNREA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N5oYhCA6Vq7tMd9v3/3Stllu6AQAoYXqAQkeGeTmkS0=; b=V9S3raALdPk8oVHnvQuzueF7FIYcV/NAjCpLWwA3TTMHvzzJfIw8tRLr/SLdmGjKk8w1nQp0I/XOWWeOnKmeTOrnBL6Qte0QbnPe9sP529KvizWnjc/XEseBv89SdYvD11T5+kC4F1DQUb/pYUIYt2Llxwfku1YcfEpFy6vTNvU=
Received: from SA1PR00MB1344.namprd00.prod.outlook.com (2603:10b6:806:1fe::11) by SN7PR00MB1492.namprd00.prod.outlook.com (2603:10b6:806:2a7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7751.0; Thu, 27 Jun 2024 18:41:25 +0000
Received: from SA1PR00MB1344.namprd00.prod.outlook.com ([fe80::dabf:1821:598a:f229]) by SA1PR00MB1344.namprd00.prod.outlook.com ([fe80::dabf:1821:598a:f229%6]) with mapi id 15.20.7760.000; Thu, 27 Jun 2024 18:41:25 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Thread-Index: AQHayMBg6kjNpOFYMU6jFYLXgA5D67Hb73JZ
Date: Thu, 27 Jun 2024 18:41:25 +0000
Message-ID: <SA1PR00MB1344B00639280305247F898FFAD72@SA1PR00MB1344.namprd00.prod.outlook.com>
References: <171951314842.227.16506719010762251285@dt-datatracker-ff7f57fbb-ch6dm>
In-Reply-To: <171951314842.227.16506719010762251285@dt-datatracker-ff7f57fbb-ch6dm>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-06-27T18:41:28.216Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR00MB1344:EE_|SN7PR00MB1492:EE_
x-ms-office365-filtering-correlation-id: 081f8d80-3ce0-4cac-bf84-08dc96d8bfbf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: oDhScrOqAVLklIL+oMn9kXW6LJf0lUmg6L87PRpNZvNeUfd8U2td8hn5k6uIqSW53Nu2UNQ3hcb/beWcJHSeWTZ2x8arFXNhKmqn8neuQjh5nHg5T90Z2AcgMWvjaf4y6FWa1/uu0Nttk6LYXfF3aZrcOrF0co6fqRCXB6qwu/eeq0xhcrPwCr7qt4RmHMplqJYxaO5o9aUa7882iC7txe0DG4hPlbqvg9BMtpp5zdp1MZZbPq2xR7hiRzh/r8+8MqGh5GubMP88UYrGq+lb4CXeRYxMPripeJcLw+aNuv6edHk+fxS7KcTVjqs+PHYUM7Rlgqo+aNCRICp1vmwXFmkZ/Du/7uv2lmVjbD3KKAYYXb3S7g+R4Pw9Po8PRSfwrWSRn8xp7xcklVYkgS3DBPrGvoEMkh/HnVjVHqxlMIAvJR2wU50wnGSLGwY9cpkObogTPBq6t5xgSySVXSpX5eg3ZYU8ICgMui1AAYDVJE6OGUdlb1oe/VU1RkjhmpSmFu8b7TvgpIJMXJWxUeshJV5nH8Hi2HX4cDaW8fu6OZATwqla3I2iQ5civGs/MaZQDrJhQbDzHYd3YwGhJG3zSgtoeNAEmi1vPOUha4wRQq8+UF0miC0M4dfDJqgqywI6nOjGeu6VMbZNncgTa/m6wc4lJ6DL5pfPRZtcGya9E81TNaQye/NKOrErvpMd1hBc4Selc4YPDWMSckcCehWD6MXL1RUGFJ86hUgqZU8wyxYszigRiw/U0s2rJgnQ0xqQwx6dvXvFLJ+cMuPg4Th07EA5tJI5GFLlq9PlVmozAnITblngeKroHDFDY4xXkJfqqQSM7ZtdnqlVV5u9sesPX4v/OB6ZY1l9IFuYzzae88ABWKonxfQmGZH8E1Z5Ke28NxOXUhFeQB/0Mv1Ao+kPUEXMG48eaZb/KayWj3pTcXeNj2DU5sEog8WIWSOuratJRqIskMRbEzOXlVQRSmD9EYu7nQsXm884H2YDqeU7puSwSMfGKmP3z7/Afzmnv4vnNPtxeAgC0VN1FRD2RcaKu2+oI2qSNE09lFBjwTzOHFjRPCEItHPzVjh5Gz0TBCeesR3/J6vHy2tCBXi89L2k1lqaW8Rnm3hz2NvtPBFFficdYmjgAbOqGJ5JUD+vBzKfoT2Wm1b5MlMBZtsAupM0+b5F/sO4JYXCzaVAFMTvZlDh3WulxdQDgIkqYg32ImXe3DcdCQbH3kjShw03gJ99KHrpRZZgnjkZ2wJFnsBHEKZ0ufe3K3lIMlh9G2sC90DLrhO78hAmH2sunjcxLbPTadQiRThIo3hi1JZXb2vFed0euosOoGxewuywu90YIS6fPdMNc6M9KCGsgLHzNR/BdJVKI+MwOjtksSg4AWKp6L0=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR00MB1344.namprd00.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BJ3amNkAVfdGgaql9McgtKJajNY6ECd7WUkpB0Y9qiovwGGJOYSHN6L3oolgcbugRAdC7A7l5Gz1BEmlPTO0z1cWy1eAwIGAIkYaSFoHUjs4QQ8NSAkz71grx7IWnngQ0+lt982Kso6IYuW5eJAqgjZXvU+FmIUiyMhDs0qHdDwvKr+7THUIUa+4p1jTgEnxmUYHG1aD/rG00mUH7eK/hX66MFQUaZ9s0LXsLg8QwBcybzLW6VIF5k+MN5VWhxcgzuvdAG2dmynSOthXFG/vh+qweIm+dXE9K2z4ws6NRQ1KZynPd7DZWsCuFTVzarnbheXe8xieEfCJHsV5mrxk2WCr5zlOz13JBauHuCXxUrCfyZcSz6H1otJy5aexoo7mNOSy90mBYEwZTDk0NknoMsdtuO248O8XSMZMWFjZYbgokeBFJWpkijfqfCa/zHrcsS67OQcP1oN7mdCd55UGTFqkwh2D+XzfIDfBVm6qosNRJcdGQO/uhz0gSTp8juGv4vGalf6hi1BnvhW7VbT6iwoVkduwcyPF+3lCi/ummdVEv4B5PfhfphviiHViLGuz40oCPneKseD6T4lOA0RDW8EthuSMDSwXmhaq9Ng10wnqcmvAAWku/Spryd5zRsWMiPQNzCIUVepcqS7qzs8j04/JS2+CR/5p4kw2YNiDRVJsQ5R2xjtRlEhEZCpTvf64BaMk8LgfgcEqj1l7YasIjB+6LxeZQBxY+2e6hXvQXR+fSC3KCj5O2dUeArzJQQgznUDaaEsvYbqE6rUHPka6Zil/1VzOrAn6eX3Yq4VCA0pXApzDD+N+Y+/PS8f3ZfveEbE0mp2huwMm9auZ0ZY6V4ncaJV+RnezR8bKEiP6Kj+GY5UmgpIcFnBbg66kH07JsE5eQ4MHmMMXDIPDuYV1F4h3nGH+spDzSt7zMtMp5OKjcZ6vv1D3wwBXCBsF7jLiB3834B56Ukmpt+KcyJBWfnli1A6Ufah7ODv/3EwwlSnFa8cTq6objlI3PAAiRZEriHpB026HeQ+S/Kx69DmMLFqbgdfhv8oRnIbcSHKPguh75FqF6v4lsBY2nCE7g3vF9E3+h6y25cFXigznplT2AT54AyGKGaSTyoIfri0C9RHBibzMKHBpA69t40L/FxFlpyq/J4PGAZJEiMnNGPwC6Cod895tJH2xwCYPewdjWiSSeyv9CozInObGysLmrgaWPNt/dN3QyZiPJecKxxNEm96mjAHcOTLwU0LE5d+48rfi9WTYgk2pBbjPJ/oM0G2bFJvGc4hBXoFo1PubVthk55CwT3nvNRVW/5r1vb1/chDyVrt8dX3j9AyyyGHgkL6CL8dS1kZgCfhEUKU2V0TL6BCRMU065Rb8tEUtpTrd1gALtoDs91UX+QLTx5B7GsuRAD0f6ChmO+4BRj0qF2NdC0QsBFAWTC4ImmWGZ9fHjOfdsnBxJ1s6p3IkQdfDuUuKzglJb6p4KW+ov/cgyG2dMS0mlU/e3Q3tsu+SOsPV9oXg5QJWo03S5B0caebAyx7dkqNzbxSMd4TyxlKWPjSrM7ycwtEtGOrMETq7ptYBqpUnUO/bvzRO0JCnmEH0ESppj8tFMv26afiAWg7HqawTPrZtRARIcKgS00Ghp3VaIay8/nEN7RERzzYBli3O/iUH
Content-Type: multipart/alternative; boundary="_000_SA1PR00MB1344B00639280305247F898FFAD72SA1PR00MB1344namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR00MB1344.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 081f8d80-3ce0-4cac-bf84-08dc96d8bfbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2024 18:41:25.3681 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: peHkK6lpYcYOpQIhF6s9DhR5sUeyaJRt8yM/TypsQ2bsmW09OY5fgI5bGyLeie79BaiYkEycf3Lhlff+P1yZyg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR00MB1492
Message-ID-Hash: Q4S3TSRUTDS7TCX7T4M4OTN4J3Q5EM2X
X-Message-ID-Hash: Q4S3TSRUTDS7TCX7T4M4OTN4J3Q5EM2X
X-MailFrom: Jensen.Thomas@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Damick, Jeffrey" <jdamick@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>, "Engskow, Matt" <mengskow@amazon.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/r7aW5JLVcTe15_uKxsVzPUtAwVI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hello dnsop, Not to distract from the "should we deprecate DNS64" discussion I started after proposing updates to 7050, but this is the second draft (last one, I promise) I'll be proposing to this group as interesting work ahead of IETF 120. Joining me are co-authors Jessica from Microsoft and Jeff and Matt from Amazon. In light of enterprises increasingly using encrypted DNS for their own "Protective DNS" resolvers, we are proposing best practices for when and how to use client authentication with encrypted DNS. Since this is a Good Thing for enterprises who control both peers (stronger security for client policy application and security auditing post-attack) and a Bad Thing otherwise (privacy violations for the non-enterprises cases common to consumers), we feel there is a need to specify when implementors should or should not use it. Spoiler alert: we prefer mTLS as the ideal authentication mechanism. I'll let the draft speak for itself as to why. Feedback and discussion is welcome. Thanks, Tommy ________________________________ From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Thursday, June 27, 2024 11:32 AM To: Jeffrey Damick <jdamick@amazon.com>; Jessica Krynitsky <Jess.Krynitsky@microsoft.com>; Matt Engskow <mengskow@amazon.com>; Tommy Jensen <Jensen.Thomas@microsoft.com> Subject: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt A new version of Internet-Draft draft-tjjk-cared-00.txt has been successfully submitted by Tommy Jensen and posted to the IETF repository. Name: draft-tjjk-cared Revision: 00 Title: Client Authentication Recommendations for Encrypted DNS Date: 2024-06-27 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-tjjk-cared-00.txt Status: https://datatracker.ietf.org/doc/draft-tjjk-cared/ HTML: https://www.ietf.org/archive/id/draft-tjjk-cared-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-tjjk-cared Abstract: For privacy reasons, encrypted DNS clients need to be anonymous to their encrypted DNS servers to prevent third parties from correlating client DNS queries with other data for surveillance or data mining purposes. However, there are cases where the client and server have a pre-existing relationship and each peer wants to prove its identity to the other. For example, an encrypted DNS server may only wish to accept resolutions from encrypted DNS clients that are managed by the same enterprise. This requires mutual authentication. This document defines when using client authentication with encrypted DNS is appropriate, the benefits and limitations of doing so, and the recommended authentication mechanism(s) when communicating with TLS- based encrypted DNS protocols. The IETF Secretariat
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Erik Nygren
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Wouters
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz