Re: [Add] [EXTERNAL] Re: New draft: draft-pauly-add-resolver-discovery

Tommy Jensen <Jensen.Thomas@microsoft.com> Thu, 28 May 2020 02:51 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4D4C3A0B38 for <add@ietfa.amsl.com>; Wed, 27 May 2020 19:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZCW3ktnrHWR for <add@ietfa.amsl.com>; Wed, 27 May 2020 19:51:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650116.outbound.protection.outlook.com [40.107.65.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4869C3A0B37 for <add@ietf.org>; Wed, 27 May 2020 19:49:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qly7TeVQVz9vj9+DOJnTrlRDlAcnkUkGBN8BSkrOMj9igAtYy4s4YkstwuWlbaYIftcOmqsKn42334JJz71JVLqfS5jM/vRcCBuwko789LB46EwYxFhqoxh/WLrMDzLb+ar0HwUVYu7kOnMHzfC3fkukt46/AUd/F68uaHODie85420R97gfTU0hGTZ0Km51sc8viAAU/J2OIkpwTh5hDYR5x1KqcRcUU29Wl4DCSjUu+5BgYyeyOB/fIV28DV+gmqcvcOR9vbU9knIh0PlajuSEcne96HBlLE+a3hhXoEbOss0kLXalvBZmJv99DJ+BNI4AcMSpp3D26Kz+ZSfZCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gsniJZb2lL8BubZh9eAcmnWF8QxzyBdGupwTLomKwlo=; b=NCPp+Gm76IInk/SBDXZqVpW4AqO9EK8dkswvovY9KT9uLjUTOgv/0yFv5Nda3y2XKQi1ZXsTBsKjNcf73KAVUN49Xsb68deX4XI06DisVdljNznb95EjRvd6ysnWkk9gMHRWv/JNkv/bLsIeNRJYXWoHqJP/l5KWQbumEMZg2SiN4JBtmVuIRycF2+uF2cHrM7p7I5Cxjtyuyj/2u5d7sayZ2NjQ2gvz579shrAwkgKUziKVyOLnTgyRfY15h9dDbYkeHDH6XDNKSkuiP9lMAieeIFQUHY7jglerFDNCCGyfv8aH+nIjiT5BUYTtWpqk2zZRjFCyR3xBSutXs8UKZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gsniJZb2lL8BubZh9eAcmnWF8QxzyBdGupwTLomKwlo=; b=P9kQjRB28UE0ynacztZ45QoEql4CWdczby+NwCBvnhkt8MzYiQuIyBSdBa635bFFZTQiIBls0sA64fVaH2f7A2tk7D18rbX186TpiEqzVzP7nhMWT/Ymc4/ll9JZY3Qu4Io76EdG2MNoHw9coybqlk9Qnd2MEhHcd4EZyE+qAEs=
Received: from BY5PR00MB0775.namprd00.prod.outlook.com (2603:10b6:a03:1d1::12) by BYAPR00MB0549.namprd00.prod.outlook.com (2603:10b6:a03:101::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3084.0; Thu, 28 May 2020 02:49:18 +0000
Received: from BY5PR00MB0775.namprd00.prod.outlook.com ([fe80::9c5c:f7d2:df8b:ac6f]) by BY5PR00MB0775.namprd00.prod.outlook.com ([fe80::9c5c:f7d2:df8b:ac6f%6]) with mapi id 15.20.3087.000; Thu, 28 May 2020 02:49:18 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] New draft: draft-pauly-add-resolver-discovery
Thread-Index: AQHWM8Ks0qPIiJjOBkGKd5zMVdtG76i8mbua
Date: Thu, 28 May 2020 02:49:18 +0000
Message-ID: <CH2PR00MB077979DCC04573846A893D87FAB10@CH2PR00MB0779.namprd00.prod.outlook.com>
References: <BC307608-2AC0-4A4A-804C-C9C59DA7EE1D@apple.com>, <CAHbrMsC6HAUOE5r2PTJwGdtZWxBr3Sj-g1asWHoRK3_H+c54iQ@mail.gmail.com>
In-Reply-To: <CAHbrMsC6HAUOE5r2PTJwGdtZWxBr3Sj-g1asWHoRK3_H+c54iQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-28T02:49:16.003Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:a080:aff0:dde7:102f:faf5:d45d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 17fd8c48-5274-497a-fc00-08d802b1b75d
x-ms-traffictypediagnostic: BYAPR00MB0549:
x-microsoft-antispam-prvs: <BYAPR00MB0549C977D30D55189B5466D2FA8E0@BYAPR00MB0549.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0417A3FFD2
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QjY0zHeC7NvHBoBXLdm7OFL7zBARRYg6M+xGXjjg5wYFvTjeWm/stWOdczCC4gSzfxwZGc9VI6zKYJph7+ck5gJR2IAf1Yr0hckLXqPPw6V+dFkWcFxDrdoDjCLKuwQt21mxyAQHABdIghpNciSMq0716l4KcDL1NuzRVZckHWT0YlMe9YSXlmwM0d+XNEY+mjWGMAF1tOLbF/x2M7YRi7eSrcC02OULqG33+9NTZZeGlPsgqUmCba2iJRZxGwQFE6Wy+hAILVioKgbsbrSo7qdzPGxeNh5BqA6wBU3p1gRf4VZJFj/eY+9kQ383sKlSEx6KutUTCWuu2qUYS32/uFHYamjcBv5Ow/q68OqTeiO/z10q3oUhNeuf3HY9lgGzOS1QRd3Z7FNnYaemzzUdNw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0775.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(346002)(396003)(39860400002)(136003)(66556008)(66446008)(2906002)(53546011)(6506007)(4326008)(8990500004)(9686003)(6512007)(110136005)(76116006)(186003)(6486002)(71200400001)(5660300002)(82960400001)(83380400001)(82950400001)(52536014)(64756008)(66946007)(316002)(166002)(8676002)(966005)(10290500003)(66574014)(86362001)(33656002)(8936002)(19627405001)(478600001)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: hHSmUCmomeuqL48TZOixyR1u5gBCJcOs8o2y1bUb7baa9MfouiDUaaE5tr4ppYKKfOXOuHdNQCR8ZpyDnDhCrkCDMynU+kC5/WSXKefQCwDkxDn5H7usVbiF/M1KgYFm9CTI+Mk+LdoohqJ7A3rKPKtijRKBFQe9hZtIAz9hapoDfCTsKfPIZ6u3D7xfOPKRx5tbDwKFJP1JWFkH/UWVIQvs2l639wabkqSFzlHEq8M1fndPyuAvK0hk19i5iqW7Y1HXHiIKUin2yR7NEc8njQHKOHLsQyzwyXP+J/O2YXK0RxNtkYV77mgoXahmAPaTtRlynazgP3PkfQgm0OK6SqVplIQjEiBtiPFQNVnyEyVYU9mQS6KaqUbA8O8fxkelETbDEnh2Z8S9+ukAX7kNSgkK/omyq3xWmRHvN5Nn/QtcVkEzBBA/1gnKhj9T7EY4B1CBDd3t8YSPgOWWvYV1sYhpGd05X/1FjGvdMaT7Z08T63+Xm021sd1XqWQ9KiBLvMd9Cv+UBNU/KfbVm6v7pQnjJW6kyYuZoqNhr50Law8ikVooMN3akjt+i3U2Kr7x
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB077979DCC04573846A893D87FAB10CH2PR00MB0779namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0775.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 17fd8c48-5274-497a-fc00-08d802b1b75d
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2020 02:49:18.0771 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bPon6xE1Dt5S3jVQz5/WwX7xjyfILUbbW/HF5HWQYlGwfQ6pUCaJsb6rNfpe+1Tnt/e++YGexYdPjvaLQ6+I3w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0549
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/1_2bXyg_qNHy8tQE-7xNMf3G6lk>
Subject: Re: [Add] [EXTERNAL] Re: New draft: draft-pauly-add-resolver-discovery
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 02:51:11 -0000

Hey Ben,

Thank you for your feedback! For Section 5:

> I would structure this as an SVCB query for dns://resolver.arpa, i.e.  at _dns.resolver.arpa.

This makes sense; I'll give it more thought.

> I don't understand the motivation for using IP hints in this way.  Normal A and AAAA records would seem to suffice, and are likely easier to maintain.

The thinking here was the multiple record case. If there are two SVCB records returned to designate two DoH servers that are equivalent, then having the hints in the record itself makes the mapping more clear than sending back two As and two AAAAs along with some mapping logic. Additionally, I think the named parameter context helps keep it future proof in case future versions specify a second use of IP addresses within the record where A/AAAA would be ambiguous.

> I don't understand why you require the IP address to appear in the certificate.  This would prevent resolvers from directing users to a trusted third party,

This is very much by design. As a stub resolver, I cannot tell the difference between "classic DNS server foo recommends DoH server bar" and "classic DNS server foo recommends DoH server bad-actor" thanks to a MitM. If the IP addresses of both resolvers aren't in the DoH server cert, then there isn't a way to validate the claim made over classic DNS that the DoH server can serve the same needs the classic resolver can. With this requirement in place, an on-path attacker could still prevent upgrade to DoH by dropping packets (as with any DoH bootstrap starting only with classic DNS), but couldn't redirect stubs to a rogue DoH server.

> creates a fragile binding between the insecure and secure resolver deployments (e.g. when changing the resolver's IP address),

Fair point. This does place a new burden on resolver admins.

> and rules out this mechanism entirely for home router type configurations.

Not entirely, as not all ISPs hand out RFC1918 addresses. However, if the router is advertising RFC1918 addresses for DNS use, then yes, this mechanism won't help. Given ownership of an RFC1918 address isn't verifiable like a public address is, I think it would be preferable for the stub resolver to get the encrypted DNS configuration directly from the same source as it would get the classic DNS address today, such as through PvDs.

Thanks,
Tommy
________________________________
From: Add <add-bounces@ietf.org> on behalf of Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Sent: Tuesday, May 26, 2020 6:03 PM
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: ADD Mailing list <add@ietf.org>
Subject: [EXTERNAL] Re: [Add] New draft: draft-pauly-add-resolver-discovery

Thanks for making a simplified form of the proposal to get started.

Section 3.1:

How do you expect TTLs to work?  If the dohuri expires along with the SVCB record that delivered it, is that actually useful?

More generally, I think this section is extremely close to https://tools.ietf.org/html/draft-tapril-ns2-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-tapril-ns2-00&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C2900c450afe04b92178108d801d9cd51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261382264817197&sdata=QRHc9F%2B7FK5iN90A92718soe5CFOFbHzOAietes%2FasE%3D&reserved=0>amp;reserved=0>, which is trying to enable recursive->authoritative DoH.  We should aim for a unified, or at least coordinated solution to these closely related problems.

Section 3.2:
>   Designated Resolvers that support DoH SHOULD provide a PvD JSON
>   dictionary available at the well-known PvD URI with the path of the
>   DoH server's URI template appended.

Strictly speaking, "https://example.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.com%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C2900c450afe04b92178108d801d9cd51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261382264817197&sdata=qbHzdj8iip3hIwGCCQEKsqMrIo4c%2F4sdI0WaB67vb5g%3D&reserved=0>{/dns}/foo?bar=baz" is a valid DoH URI template, but it doesn't have a well-defined path..  I think the best option is probably to encode all DoH PvDs on one origin into a single JSON object at a fixed well-known location, with the full template as the top-level key.

With dnsZones, is the idea to enable authenticated split-horizon networks?  The PvD draft defines "dnsZones" but offers no explanation of its semantics, so I'm having trouble figuring out the intended deployment here.

Section 5:
I think this is an interesting idea, but to comply with SVCB semantics I would structure this as an SVCB query for dns://resolver.arpa, i.e.  at _dns.resolver.arpa.  This would resolve to an SVCB RRSet that can enumerate alternative endpoints with different protocols and parameters.  (This is again similar to the NS2 proposal.)

I don't understand the motivation for using IP hints in this way.  Normal A and AAAA records would seem to suffice, and are likely easier to maintain.

I don't understand why you require the IP address to appear in the certificate.  This would prevent resolvers from directing users to a trusted third party, creates a fragile binding between the insecure and secure resolver deployments (e.g. when changing the resolver's IP address), and rules out this mechanism entirely for home router type configurations.

On Wed, May 20, 2020 at 7:04 PM Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:40apple.com@dmarc.ietf.org>> wrote:
Hello ADD,

We’ve just posted a draft of Adaptive DNS Privacy [1] that’s scoped down to talk about resolver discovery and designation mechanisms, both on local networks and over the wider Internet. This draft is targeted at the focus of the ADD group.

https://tools.ietf.org/html/draft-pauly-add-resolver-discovery-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-pauly-add-resolver-discovery-00&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C2900c450afe04b92178108d801d9cd51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261382264827151&sdata=ldPqxbKsco2nuKkxa%2BSMDu%2BiOQHtTjRMj1k5W48AK1M%3D&reserved=0>

This covers:
- What it means to designate an encrypted resolver
- How to discover resolvers using SVCB/HTTPSSVC records
- How to validate designation either by validating DNSSEC on these records, or by performing validation with an HTTPS server
- How to advertise a resolver on the local network
- How to discover a “companion” DoH server to a directly known resolver

Thanks to Tommy Jensen for his additional input on some of the local/direct resolver bootstrapping.

We’ll be publishing other documents that update the behavior for client algorithms and the use of Oblivious DoH, but we wanted to present this portion individually as the group discusses how best to discover resolvers, etc..

Best,
Tommy

[1] Previous, broader version, here: https://tools.ietf.org/html/draft-pauly-dprive-adaptive-dns-privacy-01<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-pauly-dprive-adaptive-dns-privacy-01&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C2900c450afe04b92178108d801d9cd51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261382264837106&sdata=xfTWfR36I0kqDaNd%2FdT2WvzZLuffO0c%2FmJARKc84wDM%3D&reserved=0>
--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C2900c450afe04b92178108d801d9cd51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637261382264837106&sdata=r5J5nq0J4wlyg46%2FqB8y34eP5ArjauYc%2Bo7tiJDfzDk%3D&reserved=0>