Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)
Bill Woodcock <woody@pch.net> Wed, 10 November 2021 22:01 UTC
Return-Path: <woody@pch.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A543A141E for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 14:01:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOwYXPAun6q4 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 14:01:05 -0800 (PST)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC173A1419 for <add@ietf.org>; Wed, 10 Nov 2021 14:01:05 -0800 (PST)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([2620:171:202:6be4:391d:22b9:94ac:3eb2]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Wed, 10 Nov 2021 14:01:03 -0800
From: Bill Woodcock <woody@pch.net>
Message-Id: <41FEC440-3DD2-4EEB-BB33-1F8BCB055C10@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_7674ADE2-B9A1-41DD-8A1F-DE7C0C4DD5B1"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 10 Nov 2021 23:01:00 +0100
In-Reply-To: <2EA9934C-59A5-4FD1-8C68-ECD1DB19E73E@nohats.ca>
Cc: add@ietf.org
To: Paul Wouters <paul@nohats.ca>
References: <125f8deb-e662-4325-a7ce-6f7c2c2f9992@www.fastmail.com> <2EA9934C-59A5-4FD1-8C68-ECD1DB19E73E@nohats.ca>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Dwes2QtE_tpUnNKNKKl3oWpMn5Y>
Subject: Re: [Add] Why so complex? (was Re: some background on split DNS with DNSSEC)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 22:01:11 -0000
> On Nov 9, 2021, at 5:30 PM, Paul Wouters <paul@nohats.ca> wrote: > The problem of a network provided solution that is not an enterprise / provisioned deployment is that the user and the network have a trust issue to solve. > Yes it can really only cover the enterprise case or it ends up as network coercing the user with no way for the user to opt out and the term user is even confusing as we have system resolvers and application resolvers. I think we have three common cases, into which most others can be generalized: One in which a user is assigned a device by their employer and the employer enforces a security policy; and One in which a user is responsible for their security policy or preferences. One in which a user, hypothetically named Vaul Pixie, wishes to enforce a security policy upon the devices using their network. So, in the first case, domain name resolution order could be: MDM-assigned Manually-configured Application-specific DHCP Local/hosts/best-guess/whatever In the second case, resolution order could be: Manually-configured Application-specific DHCP Local/hosts/best-guess/whatever In the third case, resolution order could be: DHCP MDM-assigned Manually-configured Application-specific Local/hosts/best-guess/whatever The first two cases look alike, in the sense that if there is no MDM configuration, they act the same. The question is when network-assigned policy should take precedence over employer or user-defined policy. At some level, there’s the “it’s my house, you’ll follow my rules, or get out” thing… If someone wants to use a network, it’s probably reasonable for the network to be able to define terms of acceptable use, and for the user (or their employer) to be able to make an informed choice about whether those terms are compatible with their policies and preferences, or whether to forego using that network. But I think the key here is the informed choice bit. I think the first two cases are close enough to be compatible, in an unobtrusive UI sense… If there’s MDM-assigned configuration, good UI would inform the user, if they tried to manually configure, and tell them that their manual configuration would not take effect because it’s overridden by the MDM configuration. Likewise, I think it’s reasonable for applications to tell users that the configuration the application is trying to do won’t take effect because of a manually-configured or MDM-assigned resolver overriding it. If the user wishes to, they can change the former. But there’s no obvious mechanism for the network to present terms of use to a user, to inform them that they have to change their manual configuration, or allow it to be overridden, if they want to use the network, or to inform them that the network isn’t going to be available to them because of an incompatibility in policy with their MDM-assigned policy. Do others view this problem differently? -Bill
- [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Tommy Pauly
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Ted Lemon
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- [Add] Why so complex? (was Re: some background on… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Jim Reid
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] Why so complex? (was Re: some backgroun… Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] Why so complex? (was Re: some backgroun… Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] Why so complex? (was Re: some backgroun… Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] Why so complex? (was Re: some backgroun… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Ted Hardie
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy