IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Paul Vixie <paul@redbarn.org> Wed, 01 July 2020 05:34 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870983A0064 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 22:34:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySKUe-cb5n3H for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 22:34:21 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C673D3A0063 for <add@ietf.org>; Tue, 30 Jun 2020 22:34:21 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 367C0B0588; Wed, 1 Jul 2020 05:34:19 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Ted Lemon <mellon@fugue.com>
Cc: add@ietf.org
Date: Wed, 01 Jul 2020 05:34:17 +0000
Message-ID: <2560148.jvFFTcX3xC@linux-9daj>
Organization: none
In-Reply-To: <6EC5A247-F873-4B0C-9773-E708D3B6AC77@fugue.com>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <3421779.8U4dVgcHlH@linux-9daj> <6EC5A247-F873-4B0C-9773-E708D3B6AC77@fugue.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2LXQyxMzpXnYY9DVVc3FIMdwbek>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 05:34:24 -0000

On Tuesday, 30 June 2020 13:17:32 UTC Ted Lemon wrote:
> On Jun 30, 2020, at 5:19 AM, Paul Vixie <paul@redbarn.org> wrote:
> > moving on, what i'd love to have is SDNCP rather than DHCP. S=secure,
> > N=network. because i want to know i'm getting what the operator of the
> > network wants me to get, and because there are other parameters besides
> > RDNS that i care about, such as whether there's a mandatory HTTPS or
> > HTTP/3 proxy i will have to talk to. because, IoT. if DHCP isn't useful
> > because it's not secure, we should stop using it. but before we could do
> > that, we'd have to meet its functionality in another way.
> 
> We tried that. Unfortunately, what we found is that it just moves the
> problem. Suppose you send out an SDNCP discovery request and get back one
> or more signed responses. Which one do you choose?

as i wrote, i'd expect it to be like bluetooth pairing, which has the same 
problem, and which solves it with a six-digit PIN code for verification. maybe 
we can use something more modern, like thumbprint scans.

> ...
> 
> So the question is, what problem are you solving with SDNCP that isn’t
> already solved with DNSSEC, TLS and PKI?

as i wrote, there are other network configuration parameters which are also 
valuable targets, such as outbound proxy settings.

as i've written elsewhere, not all DNSSEC-validating servers are equal. as the 
owner and operator of private networks, i require all my users, apps, and 
nodes to use a DNSSEC-validating server that also has a policy layer, and 
transaction logging. so, using DNSSEC as a measure of correctness does not and 
will never cover the requirements of the Secure Access Service Edge. this is 
more important than ever now that so many workers are working from home. see:

https://techspective.net/2020/06/23/the-four-horsemen-of-sase-secure-access-service-edge/

> The only answer we came up with is that it might be nice to be able to know
> that we are speaking to the same operator we were last time. But we didn’t
> actually identify a compelling use case for that, and consequently the work
> was abandoned.

i think i should have paid more attention at that time, and i apologize. DHCP 
was always the wrong thing to build, like BOOTP before it, and IPv6 address 
assignment after it. secure hosting networks have to use /30 and later /31 
netmasks (one customer per vlan) in order to trust any of this.

-- 
Paul

v2.23.0 | Report a Bug | By Email