IETF Logo Mail Archive

Re: [Add] Comparative DoH Discovery DNS RR Types

dagon <dagon@sudo.sh> Tue, 30 June 2020 06:02 UTC

Return-Path: <dagon@sudo.sh>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E56A3A0B4C for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 23:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfGQ7vTTFzO7 for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 23:02:24 -0700 (PDT)
Received: from hexakaideca.sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9AE3A0B47 for <add@ietf.org>; Mon, 29 Jun 2020 23:02:23 -0700 (PDT)
Received: by hexakaideca.sudo.sh (Postfix, from userid 1000) id 1E8E9EFE7F; Tue, 30 Jun 2020 06:02:23 +0000 (UTC)
Date: Tue, 30 Jun 2020 06:02:23 +0000
From: dagon <dagon@sudo.sh>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>
Message-ID: <20200630060223.GA31540@sudo.sh>
References: <7325C546-587D-4CD9-8059-0887C33F3503@cable.comcast.com> <26559974.PdTMpzyJZD@linux-9daj> <18350.1593475069@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <18350.1593475069@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/9dJf7updzBaxM9jokl8o4Et1Q2E>
Subject: Re: [Add] Comparative DoH Discovery DNS RR Types
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 06:02:25 -0000

On Mon, Jun 29, 2020 at 07:57:49PM -0400, Michael Richardson wrote:

> I'm with Paul. I prefer creating new RR types.
> There aren't that many dumbass middleboxes around, and those that are there,
> are usually put there intentionally, and they deserve what they get.

+1

Middleware ignoring RFC 3597 has a privacy benefit: it won't leak the
local DNS discovery details.  A marginal DNS appliance, unable to
process RESINFO and other inherently local, policy-based novel types,
won't pass such traffic to 3d parties.

E.g., ancient Cisco PIX will drop IN RESINFO?, failing the user back
to udp/53.  But such middleware could pass TXT-based discovery,
sharing the local DoH policies.  It also announces to the outside "oh
look, someone just started a browser".

Further, firewall operators must parse and ponder the global vs. local
significance of such TXT records.  Their solutions won't be
consistent, creating a new generation of quirked gear.  Could the
draft (perhaps off the ADD list) provide advice for transit, firewalls
and middleware witnessing such local discovery?  Silently drop? ICMP?
SERVFAIL?

This is in contrast to DNSSEC, often dropped by broken middleware.
DNSSEC conversations generally have global and e2e utility, since each
hop and even appliances can validate.  DoH discovery is local, and
best dropped by non-speakers.

-- 
David Dagon
dagon@sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717

v2.23.0 | Report a Bug | By Email