IETF Logo Mail Archive

Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)

Ben Schwartz <bemasc@google.com> Wed, 10 November 2021 19:02 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2721D3A12AC for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:02:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xWOfUvPxEPOf for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:02:41 -0800 (PST)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8763B3A1277 for <add@ietf.org>; Wed, 10 Nov 2021 11:02:41 -0800 (PST)
Received: by mail-ua1-x934.google.com with SMTP id az37so6849853uab.13 for <add@ietf.org>; Wed, 10 Nov 2021 11:02:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ioliUezi8QC6id+kBhc3z0paF2LVbQ9KSdflF/acIDg=; b=dumt4GJQQabjZy/t4uSf6HPkwHzC01qeN/u2CdWz7SFQ7Xhirc8GLhHIj0OshWbxMR fVVhcwWMAFBIqpMK0uRCzRWGYoqRwe3u8WMhft44MnXRJkkaMtnkbQkyGniTyXfZGATY GXCQH6irNIJLHevAWq1eztTzqXI2Uk7bR5VuKVq2cgbtiBUJCh1iqWS7P6/MUxVagM1F A6pnu68Kfugz2cU3U061OD8c/9hOFKQRmToY4UAHY9EDRxxzYdM6gaasfmoVxpkaE/cX OZLboNwuYeMYS3lUUqUksj3j0h+0vDHWKB5IEkEz5+wCXWWcSTJ8DrdSD6DOKGk3tbpN OqkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ioliUezi8QC6id+kBhc3z0paF2LVbQ9KSdflF/acIDg=; b=RsTfEI9VU/8FGUTy6BGWQ+0VcrEtcPs14mPSUGtuJk6C1wtwS4kYq30pifKOEMZv1F EXK57r13r7nH06gosrY0QbhlMZ6wx4xLz9TVYQ4BDRvY+pwBgh2Xh8jE1Kwy25RIJWwQ ZrTK2255zcGu8Ydv+bkF7+6VJjOYT/19MYt6QnSDEmh5MihiECkAcQbXTvWli2k8+a71 4dADok0jjL4QtcSCrrn5iXZveSqVRaUmQ1ta0prtXMmWkYFeRczzUQoaDpaT76s9LrUI wU8Sn6+p8TlXEh+GVwtr/36GObWNP35qQYU2fnqrwIQYq1XcqQy/skviuHqcLl2kChLn 45xQ==
X-Gm-Message-State: AOAM531x97DcRIUY5So1co8lkO44AqMAhTD5j7h2JEgzDb3dGHwg7uR0 jm47v7kHH+IY2hu6OME+G2x1TkNnagWVJ9H/himLQvpdPzA=
X-Google-Smtp-Source: ABdhPJzRmEcEafMR1PCmqJVFFAdGfyDPc0eV7/O1lIlb78lMwPRs/e+Mf1waEPDkmQBFKjQ6Q4T4sRYYjl2TIQ3/F+o=
X-Received: by 2002:ab0:6883:: with SMTP id t3mr1879038uar.66.1636570958288; Wed, 10 Nov 2021 11:02:38 -0800 (PST)
MIME-Version: 1.0
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <ED83FE78-8F3B-47D1-BD8B-F3E57C947634@pch.net> <125f8deb-e662-4325-a7ce-6f7c2c2f9992@www.fastmail.com>
In-Reply-To: <125f8deb-e662-4325-a7ce-6f7c2c2f9992@www.fastmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 10 Nov 2021 14:02:27 -0500
Message-ID: <CAHbrMsDkt7D8-wAhtJivRWEviaah30BO71dtrugg2=8vQ4TD9A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: add@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000a4d1ae05d073de32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/3smMC648Q4jXOKgb4A0-VDVC7F0>
Subject: Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 19:02:46 -0000

On Tue, Nov 9, 2021 at 10:26 AM Martin Thomson <mt@lowentropy.net> wrote:
...

> The whole thing with checking a public resolver is all in aid of something
> about ensuring that the network resolver is authoritative in some way for
> the names that the PvD claims should point to it.  But this all assumes
> greater and greater trust in the PvD and - by extension - the network.


I don't understand.  The whole point of this is that it _reduces_ trust in
the PvD, by declaring that the client ignores the PvD's instructions unless
it can prove that this is what the owner of the affected domain actually
wants.

If this were a company-mandated policy, why could that policy take the form
> of a resolver identity and a list of names for which that resolver is used
> over all others?


In a company-mandated setting, this is all moot.  The company owns the
device and can configure it precisely how they want, which is probably to
use their own resolver for everything.  I haven't seen demand for complex
client behavior expressions in that context.

I have a lot of issues with the flavortext in this draft, but the core idea
seems potentially valuable.  I would call it "secure resolution hints", a
secure way to prefill DNS resolver caches with nearby authoritative servers
for selected domains.

v2.23.0 | Report a Bug | By Email