IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Paul Vixie <paul@redbarn.org> Tue, 30 June 2020 09:19 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38B533A1129 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 02:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrAkZ5IM-FO7 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 02:19:21 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A11FF3A112B for <add@ietf.org>; Tue, 30 Jun 2020 02:19:21 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 881C4B0588 for <add@ietf.org>; Tue, 30 Jun 2020 09:19:19 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: add@ietf.org
Date: Tue, 30 Jun 2020 09:19:18 +0000
Message-ID: <3421779.8U4dVgcHlH@linux-9daj>
Organization: none
In-Reply-To: <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org> <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/QR36UoIfU3eJJyaDWeWE6H73Pzs>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 09:19:23 -0000

On Tuesday, 30 June 2020 09:07:43 UTC Martin Thomson wrote:
> Hi Paul,
> 
> On Tue, Jun 30, 2020, at 17:51, Paul Vixie wrote:
> > Eric Rescorla wrote on 2020-06-29 20:08:
> > > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com
> > > 
> > > <mailto:mglt.ietf@gmail.com>> wrote:
> > >     If the lookup takes as input the IP addresses or something provided
> > >     by the ISP (like the local resolver IP address), the resulting chain
> > >     is likely to be from the ISP. DNSSEC is needed to assert it.
> > > 
> > > Why do you assume that the IP is delivered securely?
> > 
> > because dnssec allows me to verify end-to-end authenticity of
> > name/address bindings (and other dns content.)
> 
> DNSSEC allows you to be sure of the veracity of what comes from DNSSEC, but
> in this case the IP address didn't come from DNSSEC.  It's not DNS content.

i have badly misunderstood.

the way i know that the ip address provided by the isp was delivered securely 
today is because off-net DHCP forgery is hard, or because their technician 
programmed it into my edge gateway, or their customer service department 
printed it on my welcome letter.

but i didn't want to interpret the question in that way because my answer 
would sound silly, even to me. i apologize for my confusion.

---

moving on, what i'd love to have is SDNCP rather than DHCP. S=secure, 
N=network. because i want to know i'm getting what the operator of the network 
wants me to get, and because there are other parameters besides RDNS that i 
care about, such as whether there's a mandatory HTTPS or HTTP/3 proxy i will 
have to talk to. because, IoT. if DHCP isn't useful because it's not secure, 
we should stop using it. but before we could do that, we'd have to meet its 
functionality in another way.

i realize that i've identified an unmarketable general case which has got to 
sound like i want to boil the ocean, or boil frogs, or something. but i figure 
if i don't say something, then after we've consensed around a secure RDNS 
discovery protocol, and somebody says what about all these other parameters 
that also have to be set by the network operator and have to be authenticated, 
we won't know how we got there.

i'd like setting up an IoT device to be like bluetooth pairing, only, secure. 
like, enter a four-digit PIN or something. getting secure RDNS configuration 
should be like that. right now it's a welcome letter printed by my ISP, and 
that seems outdated.

-- 
Paul

v2.23.0 | Report a Bug | By Email