IETF Logo Mail Archive

Re: [Add] [Ext] Updated charter proposal for ADD

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 15 January 2020 21:26 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA3C12098E for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 13:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2m_MwXeGwqx for <add@ietfa.amsl.com>; Wed, 15 Jan 2020 13:26:21 -0800 (PST)
Received: from mail-vk1-xa29.google.com (mail-vk1-xa29.google.com [IPv6:2607:f8b0:4864:20::a29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4264120A4C for <add@ietf.org>; Wed, 15 Jan 2020 13:26:20 -0800 (PST)
Received: by mail-vk1-xa29.google.com with SMTP id w67so5160132vkf.1 for <add@ietf.org>; Wed, 15 Jan 2020 13:26:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5SDw3ixueETGQzWBWJFG3runxkZ6oyTQBVPOQ1Uaon8=; b=b6cC+MaWXvqhbXmZi2ykux15xtB5PZEzNNva/CiJII55aQe5OcjNOvy0VcdmdlMBQt r2JHunAT3u6io4tfibCU2LSpbc3pnwHSxm13mfcsuZCrDxo6/jqWW0GvibiPjnZu1g+Y TMfMnIOHDgRoWfdhgn9wMOp8EQQaFp+5W5v+fUwTXE1UR9OfB/r9pufSg94lHaZVTPJ+ AV8tCq97DVVhgEz4KTvFlVvZ0DTglujEMejr+yrSgt34whD5SCphV9PUnxdeLsSqJmov I6R6ujCTgayfsGL+U0cem3cVM47sygKRAKMpBa/0a5eii0DTDNOjGRtmw3vh1JXql7Kg Kowg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5SDw3ixueETGQzWBWJFG3runxkZ6oyTQBVPOQ1Uaon8=; b=OsHx6aUyfhKLahxonJWsEYBuqY52vxwnH3TL3ex6Ad+cbrTudDVG2ts4P08kynruI8 UdFTyuzQJa+p71Nt6BIkoIoum3hgxqwivhCPW3gFGoaMPQiGbUvPFe4sj5baEVJHcdF5 YJoBIam15U7lywc5cOjxagunafjOV7UXrTbCw46o7xcv9Mg1BgDgf/d1pBMcd0UtBTcs J7ufAQ10Ot9tl9Tu7FiKMeuRxLIVV6zw/eeagxBa/pY8ttBjjEYp8CorQl1L3NCMjNYF +jEjshcTl/q2nTOBvgc5b+vVpy+PGhEuiDA7QTD9RQzxa2jYSyLa51dhZylcSwZ4ryp+ Ygng==
X-Gm-Message-State: APjAAAWGMEMemb7knuMUNQzODoWSHw/6LvsSn/QWxJlttnmedg1Vh4KL 9KiVjcf7CJ3fle8E+J/HcQzhsT98xhX3ljn4PdQ=
X-Google-Smtp-Source: APXvYqwPsqTcqJS47eac5g3/615emoR3QhyRePsEAaltaHx1C0IAoLdW/HEXb+4vWOZaCv+QEBSeMf/vx2Nwj4XjlWw=
X-Received: by 2002:ac5:cdcd:: with SMTP id u13mr19180640vkn.0.1579123579845; Wed, 15 Jan 2020 13:26:19 -0800 (PST)
MIME-Version: 1.0
References: <236B0A34-8C7F-49D2-8075-5AF5AC35BDFB@apple.com> <AD6E599F-96E8-44FC-8A05-8BFD2F659129@icann.org> <66C24EE6-5C7B-4788-AE26-06B900915010@fugue.com> <CAChr6SzcuomCFisPhLHYfQGzbR2=yYhtsGHV8+kd5gCdJn+ABA@mail.gmail.com> <LO2P265MB05730A944404EFD86DF99E8CC2370@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CAChr6SzygCAMGUXmOL9Hb_w5CgjeFK30KodystPYPt4jD6Fkeg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E611537457D1@GAALPA1MSGUSRBF.ITServices.sbc.com>
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E611537457D1@GAALPA1MSGUSRBF.ITServices.sbc.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 15 Jan 2020 13:26:08 -0800
Message-ID: <CAH1iCiqr9NmudeRLf9QMPaPTUBcQmi=sYGhN397oGM1b+YMPNw@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: Rob Sayre <sayrer@gmail.com>, Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000087ff6059c345c84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Ccn9hqLu1f4nfZlQIPseMVgSBms>
Subject: Re: [Add] [Ext] Updated charter proposal for ADD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 21:26:26 -0000

On Wed, Jan 15, 2020 at 1:01 PM STARK, BARBARA H <bs7652@att.com> wrote:

>
>
> On Wed, Jan 15, 2020 at 11:47 AM Andrew Campling <
> andrew.campling@419.consulting> wrote:
>
> On Wed, Jan 15, 2020 at 19:24 Rob Sayre <sayrer@gmail.com> wrote:
>
> > Right now, my DNS server is 192.168.86.1, and encrypted DNS seems
> designed to bypass it.
>
>
>
> Well, a lot of networking products (both consumer and corporate) have an
> unencrypted DNS server on a private IP.
>
>
>
> I was wondering how the certificates would be constructed if they wished
> to offer DoH or DoT. I know public services are able to get certificates
> with SAN[1] extensions containing public IPs (e.g. the Cloudflare cert for
> 1.1.1.1). That doesn't seem to make sense for private IPs, so I'm wondering
> how private networks will offer encrypted DNS, and whether the debate
> around the security considerations is important.
>
>
>
> thanks,
>
> Rob
>
>
>
> [1] https://tools.ietf.org/html/rfc5280#section-4.2.1.6
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5280-23section-2D4.2.1.6&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=8_yvv1il3zewjGy7Q4S4OtQitnmASPvjF6La_TDH_6U&s=DIByZeZTbnVQz-bhge3oVFvDzYJTHKdgueM0_z-8W7s&e=>
>
>
>
> <bhs> Discussions I’ve had with people so far have been along the lines of
> (1) we’re not aware of any user-friendly/easy way to get a certificate into
> consumer routers that will be ok’ed by a CA in browsers’ trust stores, (2)
> the user experience of doing https to a consumer router from a browser is
> pretty horrible and scary, (3) some of these routers (e.g., Netgear) don’t
> even allow users to change what the router sends in DHCP/RA (it’s always
> the router’s private IP address; but the user can change what recursive
> resolver the router then uses), and (4) many people are unconvinced that
> the threat of compromise inside the home network is worth the effort and
> negative user experience.</bhs>
>
>
The other relevant question for those consumer boxes is whether they are
full resolvers, or if they are merely forwarders to an upstream resolver
that they learn from e.g. DHCP or RA. (Some even advertise their own IP,
but only do NAT without any real DNS functionality, and literally forwarder
the packet, rather than the query, from what I understand.)

If the upstream resolver can be identified and is reachable directly, that
potentially makes the middle box a moot point, as the client would have the
ability to do whatever the WG adopts, to the real upstream resolver.

Making that sufficiently user-friendly on the client side, and scalable and
operable on the resolver side, are pertinent questions. I expect the user
experience would be better, and the security model much better, when
bypassing the middle box.

The threat potential would still exist outside of the home network if a
forwarder was used without using an upgraded transport, between the middle
box and the upstream resolver. This threat would be addressed indirectly
if/when the middle box were bypassed entirely.

This model presumes the upstream resolver is the resolver discovered, and
would not change the actual (functional) resolver being used.

Brian

v2.23.0 | Report a Bug | By Email