Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Daniel Migault <mglt.ietf@gmail.com> Tue, 30 June 2020 00:43 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11A43A0ED3 for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 17:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vurev1Z4Vuyl for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 17:43:21 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F433A0ED1 for <add@ietf.org>; Mon, 29 Jun 2020 17:43:20 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id r9so5944205ual.1 for <add@ietf.org>; Mon, 29 Jun 2020 17:43:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JFqk3G5s6wXvPgWKcbwjREMjlKM2MA2+834aRUYVoQE=; b=V72jGN5fsbMJtONjAhYwVgY/wqo3wH4kv/OetbGlLmOkVCzi/XA2eZv6DFuTk9D30G vu+VXmM5CNTpEgdxc8/GJgk2Np8sCS9risZmQY9H3i0izF/S7IcIsvHlqkp3iBkQyJvW Y20XuEFqCuTqgzeQuTtV43UV9cVAZG4kDk5ntpfuGLRzf+lHgys/t6YoAfgUsiAbuEPa g1sSbr2eUcqLYcwAE4YI6Gz/rd7FEYXlryZfdheT/V9T8J2nZ+ZHDEBWNDQLUlqOcXRd wBfyy0h68urYPg0RA/NN6c9H35xapzCc7rQmUTiFmaCbxeRTV4RJymOLx7vB4Knxqs3N jqGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JFqk3G5s6wXvPgWKcbwjREMjlKM2MA2+834aRUYVoQE=; b=fK7EsOj3NEZ5Mm5+iuAvqTIqfn7rL/y5saodrLOuxeroIvPHfpt59PFS2B4k44gH+N pABu19mlbuwuwy8hotxV8N2QLo2aesfs0d6RiRzAsuirl88vIP2X0ZUHVkfWQaTk/HlP zdbTzOEOY0PPk31gxi7zMtUvZsB27+qrxCS0L/1jHv1m9L/CRucdhBYRRHXUN7PZfAbb FC9RZA3FzU3vyMGraGlszt+L/Of1UEUaTmMxvK00+i38+kQUDF00//g0hT7vqaaHkPoN h8E2GzPt/IgFqTuk7t+rn/Yv25MV2v3T3/52CFQyyArRItiwBe+k6DzR8Mv0cAJSEjik PPew==
X-Gm-Message-State: AOAM530zZTOdkXRmwPVzXeMYUZGcSouX+jdagzig9MIa7PONmwJXbV3u +FkG4aOJ1y3TqRNh2t8B/VvrPSEDOZjMkPKLGWQ=
X-Google-Smtp-Source: ABdhPJyVZR4fOZPIIHaXNIspg5ePpBM1FFpRr08uP9eajNgdfjEjkW4IfNkZj6oK1RsrW2KNsrPNK3CbPDq0Z8hgmJA=
X-Received: by 2002:ab0:6f57:: with SMTP id r23mr13124663uat.23.1593477799764; Mon, 29 Jun 2020 17:43:19 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <14119.1593367594@localhost> <alpine.OSX.2.22.407.2006281428200.79151@ary.qy> <3615321.ADK9YsXCiF@linux-9daj> <CADZyTkm82y=H48e7TL+wBMN67jrCG2T96kHOdovX0Ds3m_nguw@mail.gmail.com> <CABcZeBMRYRoMVLr937=9T4dyVGzGHYapcrTRZ7nYghdAqzhqOQ@mail.gmail.com>
In-Reply-To: <CABcZeBMRYRoMVLr937=9T4dyVGzGHYapcrTRZ7nYghdAqzhqOQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 29 Jun 2020 20:43:08 -0400
Message-ID: <CADZyTknZTcYXb1JbYANh4uk5xgAedNGnM93y9QORJ2vYR5eJxw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Vixie <paul@redbarn.org>, Michael Richardson <mcr+ietf@sandelman.ca>, ADD Mailing list <add@ietf.org>, John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="0000000000003668ca05a9427626"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/l8Rr_-WLkKFVpK2sddEd375LPBI>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 00:43:23 -0000

On Mon, Jun 29, 2020 at 7:15 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Jun 29, 2020 at 2:40 PM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
>
>> Hi,
>>
>> I believe the proposal presents some
>> similarities to draft-mglt-drdp [1] that is
>> using the DNS to proceed to the
>> discovery. I see drdp as more generic,
>> and would be happy to improve it.
>>
>> I would be happy to understand why HTTP
>> is a better stack to perform the
>> discover as opposed to DNS. I think that
>> DNS is better as it is the common
>> protocol to DoT DoH and DNS, but I might
>> be missing something.
>>
>
> I don't quite follow this, as we do not use HTTP.
>
I thought you were saying using HTTPSSVC was architecturally better - that
was section 5 not 4.

>
>
>>
>> I believe that CNAME is to restrictive
>> and would not make possible for example
>> to have multiple resolvers
>>
>
> This goes back to use case. In our use case, the multiple resolvers would
> be supplied by manual configuration of the client. the CNAME is just a
> lookup key.
>

Unless I am missing something, I do not see how the ISP could respond
saying and provide the application a resolver that implements DoH, a
resolver that implement DoTs, a resolver that implements DoH and DNSSEC
validation and let the application pick the one it prefers.

>
>> CNAME does not provide useful necessary
>> parameters that may also be useful for a
>> DoH resolver DRDP lists among others:
>> alpn, ensiconfig, uri template, user
>> display, auth_domain, filtering,
>> ip_subnet, dnssec, ....
>>
>> My understanding is that BCP 17 saw SRV
>> as a long term solution for CNAME which
>> is now superseded by HTTPSVC/SVCB. I see
>> SRV as very common in home networks with
>> service discovery.
>>
>> I believe that using a generic is
>> problematic as is prevents its resoltion
>> to be secured with DNSSEC.
>>
>
> As I said earlier, this goes back to threat model. Please describe the
> thrat model where you think DNSSEC helps.
>

The threat model seems for Comcast and the end user having the traffic of
its end users being redirected to Cloudflare instead of the local resolver.
Both resolvers are trusted according to Firefox but the end user and the
ISP may have a different view. It also means that any information that is
not preconfigured cannot be trusted.



> -Ekr
>
>
>
>
>> In DRDP [1], the list of resolvers is
>> associated to a resolving domain. In the
>> case of an ISP the resolving domain is
>> derive with a reverse resolution from
>> the IP address announced by the ISP .
>> Note that other means may be provided.
>> With the resolving domain - in your case
>> resolver.example, the application will
>> retrieve the resolvers associated to the
>> resolving domain.  In your case you are
>> exclusively focused on DoH server, so
>> your application will them perform
>> _443_dns.example.com. SVCB.
>>
>> Note that an early version of DRDP was
>> using SRV/TXT instead of SVCB.
>>
>> Yours,
>> Daniel
>>
>> [1]
>> https://github.com/mglt/draft-mglt-abcd-dofoo-discovery/blob/master/draft-mglt-add-rdp.mkd
>>
>> On Sun, Jun 28, 2020 at 3:23 PM Paul Vixie <paul@redbarn.org> wrote:
>>
>>> On Sunday, 28 June 2020 18:29:22 UTC John R Levine wrote:
>>> > On Sun, 28 Jun 2020, Michael Richardson wrote:
>>> > >    > Beyond that I gather there is still concern about SOHO routers
>>> with
>>> > >    > poorly implemented DNS forwarders that only handle some kinds of
>>> > >    > queries.
>>> > >
>>> > > I believe that the majority of devices on the market are now based
>>> upon
>>> > > versions of openwrt which, even if 10 years out of date, now have
>>> only 15
>>> > > year old DNS forwarding code.  And that's new enough.
>>> >
>>> > It's not what's on sale now, it's what's installed.  People tend to
>>> keep
>>> > what they have unless it breaks in ways that are obvious to them.
>>>
>>> as we learned with EDNS, we should have broken more stuff sooner. being
>>> liberal in what we accept and conservative in what we generate has not
>>> scaled
>>> and won't.
>>>
>>> --
>>> Paul
>>>
>>>
>>> --
>>> Add mailing list
>>> Add@ietf.org
>>> https://www.ietf.org/mailman/listinfo/add
>>>
>>
>>
>> --
>> Daniel Migault
>> Ericsson
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
>

-- 
Daniel Migault
Ericsson