Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

> -Original Message- > From: Stephen Farrell > Sent: Tuesday, March 12, 2019 5:30 AM > To: Paul Vixie ; d...@ietf.org > Cc: nalini elkins ; Konda, Tirumaleswar Reddy > ; dn...@ietf.org; Ackermann, > Michael ; Christian Huitema > ; dns-privacy@ietf.org; Vittorio Bertola > > Subject: Re:

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

On 12/03/2019 01:54, nalini elkins wrote: > Stephen, > >> TLS1.3 will, I expect, noticeably improve security for an awful lot of >> enterprises in time. > > I am sure you are right. Great. > There is also likely to be quite a bit of pain > ahead for many. I don't agree at all about that,

Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-spki-in-ns-name-00.txt

Thanks Andreas, > what's the reason for "In opportunistic mode, the resolver MUST use the authoritative name server despite the failure." ? > A server operator can't distinguish between a resolver in strict mode an a resolver in opportunistic mode TOGETHER with a failure (on server side?) > An

Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients

That's what they told me. On Mar 11, 2019, 14:20, at 14:20, Daniel Stenberg wrote: >On Mon, 11 Mar 2019, Paul Vixie wrote: > >> CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24 > >If that's what you believe and block, then you're not blocking >Cloudflare DoH >very effectively... =)

Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients

On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie wrote: > > > nalini elkins wrote on 2019-03-11 10:26: > > Tiru, > > > > Thanks for your comments. > > > > > Enterprise networks are already able to block DoH services, > i wonder if everyone here knows that TLS 1.3 and encrypted headers is > going to

Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients

On Mon, 11 Mar 2019, Paul Vixie wrote: CF has so far only supported DoH on 1.1.1.0/24 and 1.0.1.0/24 If that's what you believe and block, then you're not blocking Cloudflare DoH very effectively... =) -- / daniel.haxx.se ___ dns-privacy

Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients

Hi Paul, > On 11 Mar 2019, at 19:12, Paul Vixie wrote: > > > > nalini elkins wrote on 2019-03-11 10:26: >> Tiru, >> Thanks for your comments. >> > Enterprise networks are already able to block DoH services, > i wonder if everyone here knows that TLS 1.3 and encrypted headers is going > to

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

(This distribution list is too scattered and diverse. Be great if some AD or someone just picked one list for this. In the meantime...) On 11/03/2019 20:43, nalini elkins wrote: > impact assessment that certain changes such as > DoH and TLS1.3 will have on enterprises, TLS1.3 will, I expect,

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

(Apologies for top-replying) I think, from squinting at this a bit, that what is missing is some kind of policy/service discovery, and coming to some kind of agreement (between DNSOP and DOH, and any/all other interested parties) on what default behavior should be (and under what

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

>i wonder if everyone here knows that TLS 1.3 and encrypted headers is >going to push a SOCKS agenda onto enterprises that had not previously >needed one I have, ahem, some familiarity with the enterprises and TLS1.3 issue. (These past few years have aged me terribly!) I frankly feel that we

Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-spki-in-ns-name-00.txt

Am 11.03.19 um 17:20 schrieb manu tman: > I have captured in a draft the mechanism I used during IETF 103 hackathon and > which is available aan experimental module in knot-resolver[0]. > I was taken short with time before cit-off date, but I hope this will better > explain how it works.

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

nalini elkins wrote on 2019-03-11 10:26: Tiru, Thanks for your comments. > Enterprise networks are already able to block DoH services, i wonder if everyone here knows that TLS 1.3 and encrypted headers is going to push a SOCKS agenda onto enterprises that had not previously needed one,

[dns-privacy] Fwd: New Version Notification for draft-hzpa-dprive-xfr-over-tls-01.txt

Hi All, A new draft has been submitted outlining using DNS-over-TLS for zone transfers. The draft is quite basic at this stage but we are planning to work on this topic at the Hackathon to try to answer the open questions and move this forward. Regards Sara. > Begin forwarded message: >

Re: [dns-privacy] [hrpc] [DNSOP] Proposal for a side-meeting on services centralization at IETF 104 Prague

Perfect idea, very good use of the Wednesday slot. On Mon, 11 Mar 2019 at 13:57, Vittorio Bertola wrote: > > Il 11 marzo 2019 alle 18.02 Stephane Bortzmeyer ha > scritto: > > > > It was suggested Reference necessary to have a > > side meeting in Prague at IETF 104. I propose monday,

Re: [dns-privacy] [DNSOP] Proposal for a side-meeting on services centralization at IETF 104 Prague

> Il 11 marzo 2019 alle 18.02 Stephane Bortzmeyer ha > scritto: > > It was suggested Reference necessary to have a > side meeting in Prague at IETF 104. I propose monday, 1400-1600 in > Tyrolka. The proposal is at > . You > are

Re: [dns-privacy] [hrpc] [Doh] Proposal for a side-meeting on services centralization at IETF 104 Prague

I'd appreciate it not conflicting with IRTFOPEN. The ANRP topics include how Facebook manipulates routing and a big study on QUIC, and I think there should be participant overlap. On Mon, 11 Mar 2019 at 13:22, Melinda Shore wrote: > On 3/11/19 9:13 AM, Stephane Bortzmeyer wrote: > > I admit

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Tiru, Thanks for your comments. > Enterprise networks are already able to block DoH services, We are also concerned about getting threat intelligence so that would impact DoH on the Internet. We are also concerned about being able to block malware, etc. inside the enterprise. Thank you for

Re: [dns-privacy] [hrpc] [Doh] Proposal for a side-meeting on services centralization at IETF 104 Prague

On 3/11/19 9:13 AM, Stephane Bortzmeyer wrote: > I admit I'm not sure that Secdispatch is so important here. The > subject of the side meeting is not security-specific. It also conflicts with irtfopen, which may impact the availability of pearg people, hrpc folk, etc. Melinda -- Software

Re: [dns-privacy] [Doh] Proposal for a side-meeting on services centralization at IETF 104 Prague

On Mon, Mar 11, 2019 at 10:13 AM Stephane Bortzmeyer wrote: > On Mon, Mar 11, 2019 at 10:06:21AM -0700, > Ted Hardie wrote > a message of 76 lines which said: > > > This conflicts with SECDISPATCH, which will have a pretty serious impact > on > > who might attend. Scheduling these things is

Re: [dns-privacy] [Doh] Proposal for a side-meeting on services centralization at IETF 104 Prague

On Mon, Mar 11, 2019 at 10:06:21AM -0700, Ted Hardie wrote a message of 76 lines which said: > This conflicts with SECDISPATCH, which will have a pretty serious impact on > who might attend. Scheduling these things is very hard, obviously. Given > this topic, you may have to move outside the

[dns-privacy] Proposal for a side-meeting on services centralization at IETF 104 Prague

[Resent with the correct list of working groups.] [Sorry for the long list of working groups but the discussion already started in different places.] There are been some discussion about DoH (DNS-over-HTTPS, RFC 8484) deployment and the risk of centralization of Internet services. (See for

[dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt

During earlier discussion (post virtual meeting), there were a mixture of feeling as to where SPKI may be published, here is one proposal bump (through the rush of time) to publish it in the parent zone. Manu ——— A new version of I-D, draft-bretelle-dprive-dot-for-insecure-delegations-01.txt

Re: [dns-privacy] I-D Action: draft-ietf-dprive-bcp-op-02.txt

Hi All, This is an update containing mostly minor changes based on feedback so far. We do have a slot in DPRIVE to discuss this and the DNS Privacy Considerations bis so it would be good to get feedback there on the next steps. - Change 'open resolver' for 'public resolver’ - Minor editorial

[dns-privacy] I-D Action: draft-ietf-dprive-bcp-op-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS PRIVate Exchange WG of the IETF. Title : Recommendations for DNS Privacy Service Operators Authors : Sara Dickinson

[dns-privacy] New Version Notification for draft-bretelle-dprive-dot-spki-in-ns-name-00.txt

Hi all, I have captured in a draft the mechanism I used during IETF 103 hackathon and which is available aan experimental module in knot-resolver[0]. I was taken short with time before cit-off date, but I hope this will better explain how it works. Manu [0]

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Please see inline [TR] From: dns-privacy On Behalf Of nalini elkins Sent: Monday, March 11, 2019 11:05 AM To: Paul Vixie Cc: Stephen Farrell ; d...@ietf.org; dn...@ietf.org; Christian Huitema ; dns-privacy@ietf.org; Vittorio Bertola ; Ackermann, Michael Subject: Re: [dns-privacy] [DNSOP]

Re: [dns-privacy] New: draft-bertola-bcp-doh-clients

Hi, so I think the scenario you describe is worth considering in the draft. IMO it makes the need for such a draft even more compelling because the idea of a browser sending user’s browsing data to any number of (frequently changing) third-party resolvers brings up all kinds of issues around

Re: [dns-privacy] New: draft-bertola-bcp-doh-clients

Hiya, On 11/03/2019 09:25, Neil Cook wrote: > What other resolvers would those be? Firefox only uses Cloudflare at > the moment. You can manually change that if you know about a > different DoH server. When I briefly played with FF nightly and DoH, it was using both the system resolver and CF. I

Re: [dns-privacy] New: draft-bertola-bcp-doh-clients

> On 10 Mar 2019, at 15:44, Stephen Farrell wrote: > 1. I don't think your characterisation of DNS n/w-selection > vs. application-selection is accurate. IIUC, what's actually > done by FF is that (if the user has explicitly turned on DoH) > then FF tries all the resolvers it knows about and

Re: [dns-privacy] Is there a draft for Knot "Experimental DNS-over-TLS Auto-discovery"

Right in time before the cut-off date I captured it in a draft: https://www.ietf.org/id/draft-bretelle-dprive-dot-spki-in-ns-name-00.txt Manu On Thu, Dec 27, 2018 at 9:05 AM manu tman wrote: > > > On Thu, Dec 27, 2018 at 8:28 AM Stephane Bortzmeyer > wrote: > >> < >>

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Christian Huitema wrote on 2019-03-10 23:05: On 3/10/2019 10:24 PM, Paul Vixie wrote: if you are using my network, then it makes no difference which of us bought you that laptop. you will use the RDNS i allow you to use. RDNS is part of the control plane, and i use it for both monitoring and

Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

On 3/10/2019 10:24 PM, Paul Vixie wrote: > if you are using my network, then it makes no difference which of us > bought you that laptop. you will use the RDNS i allow you to use. RDNS > is part of the control plane, and i use it for both monitoring and > control. sometimes that's so that i can