IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Paul Vixie <paul@redbarn.org> Wed, 01 July 2020 22:29 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D71E3A096E for <add@ietfa.amsl.com>; Wed, 1 Jul 2020 15:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EsJBHh5CG4OC for <add@ietfa.amsl.com>; Wed, 1 Jul 2020 15:29:57 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9EB3A0898 for <add@ietf.org>; Wed, 1 Jul 2020 15:29:57 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id C35C5B0588 for <add@ietf.org>; Wed, 1 Jul 2020 22:29:56 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: ADD Mailing list <add@ietf.org>
Date: Wed, 01 Jul 2020 22:29:55 +0000
Message-ID: <10843339.pZq1X2qCAG@linux-9daj>
Organization: none
In-Reply-To: <1518.1593641342@localhost>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <7554989.GgB1jQp9Bc@linux-9daj> <1518.1593641342@localhost>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/K_RLy_7g0KlvQeHwTOk3k1mE_PQ>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 22:29:59 -0000

On Wednesday, 1 July 2020 22:09:02 UTC Michael Richardson wrote:
> Paul Vixie <paul@redbarn.org> wrote:
>     > do you see that problem as specific to IoT, or disjoint from RDNS
>     > settings? (i do not.)
> 
> In the IoT case, we need a good, autonomic mechanism to deploy network
> configuration to devices in ways that they really understand.
> (Such as your proxy-HTTP setting, which I entirely approve of).
> 
> Getting the wrong RDNS settings on an IoT device means that it probably does
> not function well (or maybe at all), and it becomes very difficult to do
> RFC8520.  (see my draft-richardson-opsawg-mud-iot-dns-considerations-02 )

speaking as someone who had to create a local responder for 8.8.8.8 in order 
to get my chromecast to believe it had internet connectivity, i think we 
should consider that in the IoT world, there will never be profit from the 
delivery and sale of these devices, only from the services they can offer, and 
the phone-home telemetry they can monetize. google's chromecast already 
ignores the RDNS settings it gets from my DHCP service. therefore, "wrong" is 
in the eye of the beholder, and the interests of IoT buyers are unaligned with 
the interests of IoT sellers. we should consider this negotiation a "hostile" 
one.

> Getting the wrong RDNS settings on a *desktop* browser is a qualitatively
> different thing in my opinion.  It probably operates, but for some
> uses/users it may be a problem, either because of the click-trail it
> leaves, or because of the censorship that the user experiences.
> 
> I think that this is particularly acute for *desktop* browsers, as they do
> not in general have the luxury of just picking a different coffee shop.
> The people who use them are generally vulnerable in a variety of different
> ways.

at the moment, i challenge your specificity here. laptops and smartphones and 
datapads all behave the way you're describing for desktops here.

in the future, i will challenge any specificity on this topic, since all nodes 
whether embedded or operated will have the same capabilities and constraints.

> It is *important* for the browser to be able to clearly indicate what level
> of privacy is being experienced.

i expect that you can get universal agreement on that point. in any case, +1.

-- 
Paul

v2.23.0 | Report a Bug | By Email