IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Daniel Migault <mglt.ietf@gmail.com> Tue, 30 June 2020 12:49 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B71B3A07B7 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 05:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYazGZyDa7OX for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 05:49:39 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DAE63A07B1 for <add@ietf.org>; Tue, 30 Jun 2020 05:49:39 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id m25so11109574vsp.8 for <add@ietf.org>; Tue, 30 Jun 2020 05:49:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/TUjJwvCU4yf0+022uaZHY4e/U0Z6L64bbkcO1w9790=; b=hTEBgnCjFMBU8efubo/cPGrTm3/XtYZfZzCLAbQFpBEQWjct2JenoXp6La5SZK8gG0 /RPiI9UcJbm9qtOI0325cxeckQmYkxvMtDVSg730OrgQeOdulpbcoIG63FpmVZXmCW/u 3O3tNoOVH7h4VLBiAWLEjjxRJNoeQrj9iZUHFK+8Os5V2FeOjvsA30pet6oWBzVTLhkD n5AYiqkDL4juFMaGRP980Hty6NdA/UnwVMxsd9PC8I+jFYYzfgA7mYcID32Sqwua2Y+W +dVSIpwg/0g0Axke2z08bAqOwmGv2cBTgK3FZFVXUgMhiqRuHInJzonwMZSezA9E9yd7 vH3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/TUjJwvCU4yf0+022uaZHY4e/U0Z6L64bbkcO1w9790=; b=ZT0xfNd+LaQ+JhFdbu93PMK/+vZnSe6xwHR8etThmtGOcfTBdqI//vGVpKwp2MAQp1 IiZobrhcjgkb3iFwO7u2qCn0wPG38ANEvojb4gk5Uge9kvMJ2Kdn6QnAWpHBg5SrLzMC eds07X1rsGJjvWIzCxoom24ul1jrq1/4nBMrN8M8kAMeKDX6rpdxZGCM1Bq3orwVXWkK KQeNmWdFIoSNxuxqL9cf9CjnQpJI6FaC8j3y8jxS5c79uRKCDqgvNrXYWAkZhCtwF4e6 i0uq+TD+4vj/rcwlN6evMKtddJegcKV48SqonRvduQO8E5lu+QH5rG4rL6aPicZG+dYr fKlw==
X-Gm-Message-State: AOAM530/kzONhBwKY+55KoCxYzMQDl0T5XJW8autHOMUj4FVO4CCXTAl wg15fUdEVK0o5p8r0ZkZK4p5JuHuax29vTfvqKO9Dg==
X-Google-Smtp-Source: ABdhPJx+Au1JwfFUPfZAMsa1yjeU0jGF5IIdp+cWpDMGtS5vAIWL/iWphTw8/eiIxIvcnVlCmeGpC/YH7F9BgFcYvcI=
X-Received: by 2002:a67:7fd5:: with SMTP id a204mr13180260vsd.97.1593521378367; Tue, 30 Jun 2020 05:49:38 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org> <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com> <3421779.8U4dVgcHlH@linux-9daj>
In-Reply-To: <3421779.8U4dVgcHlH@linux-9daj>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 30 Jun 2020 08:49:27 -0400
Message-ID: <CADZyTkknrNQ3bNE114rpXM=AEs_pDvZ7-vjb6jhi36pqS2ht5w@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b31bd205a94c9baf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/UuV_-EVm7llseaiy6ncBvldc7rM>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 12:49:42 -0000

Hi,

My responses would have been inline with those of Paul.

Yours,
Daniel

On Tue, Jun 30, 2020 at 5:19 AM Paul Vixie <paul@redbarn.org> wrote:

> On Tuesday, 30 June 2020 09:07:43 UTC Martin Thomson wrote:
> > Hi Paul,
> >
> > On Tue, Jun 30, 2020, at 17:51, Paul Vixie wrote:
> > > Eric Rescorla wrote on 2020-06-29 20:08:
> > > > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com
> > > >
> > > > <mailto:mglt.ietf@gmail.com>> wrote:
> > > >     If the lookup takes as input the IP addresses or something
> provided
> > > >     by the ISP (like the local resolver IP address), the resulting
> chain
> > > >     is likely to be from the ISP. DNSSEC is needed to assert it.
> > > >
> > > > Why do you assume that the IP is delivered securely?
> > >
> > > because dnssec allows me to verify end-to-end authenticity of
> > > name/address bindings (and other dns content.)
> >
> > DNSSEC allows you to be sure of the veracity of what comes from DNSSEC,
> but
> > in this case the IP address didn't come from DNSSEC.  It's not DNS
> content.
>
> i have badly misunderstood.
>
> the way i know that the ip address provided by the isp was delivered
> securely
> today is because off-net DHCP forgery is hard, or because their technician
> programmed it into my edge gateway, or their customer service department
> printed it on my welcome letter.
>
> but i didn't want to interpret the question in that way because my answer
> would sound silly, even to me. i apologize for my confusion.
>
> ---
>
> moving on, what i'd love to have is SDNCP rather than DHCP. S=secure,
> N=network. because i want to know i'm getting what the operator of the
> network
> wants me to get, and because there are other parameters besides RDNS that
> i
> care about, such as whether there's a mandatory HTTPS or HTTP/3 proxy i
> will
> have to talk to. because, IoT. if DHCP isn't useful because it's not
> secure,
> we should stop using it. but before we could do that, we'd have to meet
> its
> functionality in another way.
>
> i realize that i've identified an unmarketable general case which has got
> to
> sound like i want to boil the ocean, or boil frogs, or something. but i
> figure
> if i don't say something, then after we've consensed around a secure RDNS
> discovery protocol, and somebody says what about all these other
> parameters
> that also have to be set by the network operator and have to be
> authenticated,
> we won't know how we got there.
>
> i'd like setting up an IoT device to be like bluetooth pairing, only,
> secure.
> like, enter a four-digit PIN or something. getting secure RDNS
> configuration
> should be like that. right now it's a welcome letter printed by my ISP,
> and
> that seems outdated.
>
> --
> Paul
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email