IETF Logo Mail Archive

Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)

Bill Woodcock <woody@pch.net> Wed, 10 November 2021 22:01 UTC

Return-Path: <woody@pch.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A543A141E for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 14:01:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOwYXPAun6q4 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 14:01:05 -0800 (PST)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC173A1419 for <add@ietf.org>; Wed, 10 Nov 2021 14:01:05 -0800 (PST)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([2620:171:202:6be4:391d:22b9:94ac:3eb2]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Wed, 10 Nov 2021 14:01:03 -0800
From: Bill Woodcock <woody@pch.net>
Message-Id: <41FEC440-3DD2-4EEB-BB33-1F8BCB055C10@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_7674ADE2-B9A1-41DD-8A1F-DE7C0C4DD5B1"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 10 Nov 2021 23:01:00 +0100
In-Reply-To: <2EA9934C-59A5-4FD1-8C68-ECD1DB19E73E@nohats.ca>
Cc: add@ietf.org
To: Paul Wouters <paul@nohats.ca>
References: <125f8deb-e662-4325-a7ce-6f7c2c2f9992@www.fastmail.com> <2EA9934C-59A5-4FD1-8C68-ECD1DB19E73E@nohats.ca>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Dwes2QtE_tpUnNKNKKl3oWpMn5Y>
Subject: Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 22:01:11 -0000


> On Nov 9, 2021, at 5:30 PM, Paul Wouters <paul@nohats.ca> wrote:
> The problem of a network provided solution that is not an enterprise / provisioned deployment is that the user and the network have a trust issue to solve.
> Yes it can really only cover the enterprise case or it ends up as network coercing the user with no way for the user to opt out and the term user is even confusing as we have system resolvers and application resolvers.

I think we have three common cases, into which most others can be generalized:

One in which a user is assigned a device by their employer and the employer enforces a security policy; and

One in which a user is responsible for their security policy or preferences.

One in which a user, hypothetically named Vaul Pixie, wishes to enforce a security policy upon the devices using their network.

So, in the first case, domain name resolution order could be:

    MDM-assigned
    Manually-configured
    Application-specific
    DHCP
    Local/hosts/best-guess/whatever

In the second case, resolution order could be:

    Manually-configured
    Application-specific
    DHCP
    Local/hosts/best-guess/whatever

In the third case, resolution order could be:

    DHCP
    MDM-assigned
    Manually-configured
    Application-specific
    Local/hosts/best-guess/whatever

The first two cases look alike, in the sense that if there is no MDM configuration, they act the same.  The question is when network-assigned policy should take precedence over employer or user-defined policy.  At some level, there’s the “it’s my house, you’ll follow my rules, or get out” thing… If someone wants to use a network, it’s probably reasonable for the network to be able to define terms of acceptable use, and for the user (or their employer) to be able to make an informed choice about whether those terms are compatible with their policies and preferences, or whether to forego using that network.

But I think the key here is the informed choice bit.  I think the first two cases are close enough to be compatible, in an unobtrusive UI sense… If there’s MDM-assigned configuration, good UI would inform the user, if they tried to manually configure, and tell them that their manual configuration would not take effect because it’s overridden by the MDM configuration.

Likewise, I think it’s reasonable for applications to tell users that the configuration the application is trying to do won’t take effect because of a manually-configured or MDM-assigned resolver overriding it.  If the user wishes to, they can change the former.

But there’s no obvious mechanism for the network to present terms of use to a user, to inform them that they have to change their manual configuration, or allow it to be overridden, if they want to use the network, or to inform them that the network isn’t going to be available to them because of an incompatibility in policy with their MDM-assigned policy.

Do others view this problem differently?

                                -Bill

v2.23.0 | Report a Bug | By Email