IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 01 July 2020 22:09 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 433633A0E4F for <add@ietfa.amsl.com>; Wed, 1 Jul 2020 15:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grJ0z26xn2IW for <add@ietfa.amsl.com>; Wed, 1 Jul 2020 15:09:05 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AFAF3A0E3D for <add@ietf.org>; Wed, 1 Jul 2020 15:09:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 16D56389CC; Wed, 1 Jul 2020 18:06:16 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7G4rIOWHinnB; Wed, 1 Jul 2020 18:06:14 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B0B5C389BC; Wed, 1 Jul 2020 18:06:14 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 994BC62C; Wed, 1 Jul 2020 18:09:02 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>
In-Reply-To: <7554989.GgB1jQp9Bc@linux-9daj>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <4703088.fjZbX7tNNj@linux-9daj> <CAFpG3gdiidmjxoauBw56ZybRabB6JET1Nh5dzTLQq1k0ZAn6Uw@mail.gmail.com> <7554989.GgB1jQp9Bc@linux-9daj>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 01 Jul 2020 18:09:02 -0400
Message-ID: <1518.1593641342@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Wee-dwMtyNci8uiDqxIMJTPNv_c>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 22:09:07 -0000

Paul Vixie <paul@redbarn.org> wrote:
    >> > my IoT devices hate me, because i won't let them speak directly to their
    >> > motherships, and lacking keyboards or ssh listeners, i have no way to tell
    >> > them what proxy they would have to use to be successful. if you want me to
    >> > agree that IoT is insane, i probably will. but it's our world.
    >>
    >> Secure bootstrapping methods for IoT devices are discussed both inside
    >> (e.g., BRSKI) and outside of IETF (DPP, OCF, OMA).

    > do you see that problem as specific to IoT, or disjoint from RDNS settings?
    > (i do not.)

In the IoT case, we need a good, autonomic mechanism to deploy network
configuration to devices in ways that they really understand.
(Such as your proxy-HTTP setting, which I entirely approve of).

Getting the wrong RDNS settings on an IoT device means that it probably does
not function well (or maybe at all), and it becomes very difficult to do
RFC8520.  (see my draft-richardson-opsawg-mud-iot-dns-considerations-02 )

Getting the wrong RDNS settings on a *desktop* browser is a qualitatively different
thing in my opinion.  It probably operates, but for some uses/users it may be
a problem, either because of the click-trail it leaves, or because of the
censorship that the user experiences.

I think that this is particularly acute for *desktop* browsers, as they do
not in general have the luxury of just picking a different coffee shop.
The people who use them are generally vulnerable in a variety of different
ways.

It is *important* for the browser to be able to clearly indicate what level
of privacy is being experienced.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email