Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertola-bcp-doh-clients
In the below commentary, there are some use cases which are not being included On 2019-03-12 12:56 p.m., Christian Huitema wrote: On 3/12/2019 11:35 AM, Paul Vixie wrote: if someone is concerned that some of the web sites reachable through some CDN are dangerous... Paul, who is this someone? How do they decide? What does dangerous mean? These questions are very much behind the tension we see today. And the answers are not as black and white as "this is my network, I get to decide". There are enterprise networks. There are home networks. There are some socially organized networks. All seeking protection for their users, or for themselves, or both. And sometimes/many-times, there has to be 'some-one' who can define some level of protection for the collection of users. DoH is almost like a trojan. Secret queries can be made to the outside world. For the 'protector' of the infrastructure, the job then becomes more difficult to perform. Are there security personnel included in these conversations? For example, users routinely delegate the filtering decision to some kind of security software running on their device, often with support from some cloud based service. They are making an explicit decision, and often use menu options to decide what type of site is OK or not -- adults would probably not subscribe to parental control services. There is a market for these products, they compete based on reputation, ease of use, etc. This could be a legitimate scenario. But what if users are inside the domain of enterprise/home/organization/social, they would need to delegate their security to those who are maintaining that 'network'. But when the users can build their own DoH 'tunnels' and hide that traffic amongst other https traffic, security can be harder to enforce/manage/supervise/maintain/forensically-identify. You are saying that whoever happens to control part of the network path is entitled to override the user choices and impose their own. Really? I would say, yes. As Stephane wrote, that may be legit in some circumstances, but much more questionable in others, such as a hotel Wi-Fi attempting to decide what sites I could or could not access. It really is a tussle. Yes, a tussle. There are many use cases. The 'power of the individual' vs the 'will of the people'? [does not totally properly convey the concept, but close enough] ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] Authoritative DoT or DoH
Thanks Karl. From my high tech gadget > On Mar 15, 2019, at 08:00, Henderson, Karl > wrote: > > Hi Brian, > > I have had a look at the Wiki. There are some missing operational > requirements I’d like to see addressed. I’m working with some of my > colleagues and once we have a more complete list, I’ll let you know. > > Thanks, > Karl Henderson > Sr. Engineer > Verisign CTO > > ___ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] Authoritative DoT or DoH
Hi Brian, I have had a look at the Wiki. There are some missing operational requirements I’d like to see addressed. I’m working with some of my colleagues and once we have a more complete list, I’ll let you know. Thanks, Karl Henderson Sr. Engineer Verisign CTO ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] Authoritative DoT or DoH
Hi Karl, On 3/14/19 3:18 PM, Henderson, Karl wrote: > In the last couple of days there has been a lot of activity concerning DNS > over HTTPS (DoH) - Hoffman and Alibaba presentations at ICANN and IETF > drafts: > draft-reid-doh-operator/draft-livingood-doh-implementation-risks-issues/draft-betola-bcp-doh-clients. > > These discussions have focused on DoH for client (typically web browser) > communication with recursive resolvers, and its comparisons with DoT for this > purpose. > > Is there any compelling reason at this point to be considering DoH for > recursive resolver-to-authoritative name server communications? > > As I noted at the DPRIVE interim meeting, the working group needs empirical > studies looking at performance and attack vectors for authoritative DNS > encryption. > > Unless there are compelling reasons to consider Authoritative DoH, I propose > the working group focus its authoritative DNS encryption assessments around > Authoritative DoT. > > In support, I am willing to co-author an Authoritative DoT operational > consideration draft in order to outline the operational challenges the > community needs to address - similar to the draft-reid-doh-operator draft > between client and recursive. Thanks for volunteering for such a task. Before we go that route, can you confirm that the information that has been collected to date on recursive to authoritative captures all the issues from your perspective? https://github.com/DPRIVE/dprive-v2-ms-and-reqs/blob/master/dprive-v2-ms-and-reqs.md Regards, Brian signature.asc Description: OpenPGP digital signature ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-spki-in-ns-name-00.txt
> > >> 6. IANA Considerations > > " TODO: This document requires IANA actions (new RR type)." > > What new RR type is needed? Looks to me like all standard RR's. > > Thanks Bob! My mistake, this is a left over from copy/pasta. I removed it from master. Manu -- > Bob Harold > > ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy