IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Rob Sayre <sayrer@gmail.com> Wed, 01 July 2020 04:55 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493CD3A0CE5 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 21:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vztoWAdp3FDd for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 21:55:44 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D92CB3A0CE6 for <add@ietf.org>; Tue, 30 Jun 2020 21:55:44 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id f6so7993690ioj.5 for <add@ietf.org>; Tue, 30 Jun 2020 21:55:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kLzF2aCpelPH0qoBJ4do2Rl6ue/Ikl5aXUOzdkVkXB8=; b=aCx7at2xIKISVgtegZ3c9TuSdH9iC5sLF3WzWEBIT8FWt0DL8hTsQm0IYYBuhSZ8oK CrK2GvRFVYj9fuzPG5my3TDSHBFKEN67sj5aoPh/1/+V+tyNJ1oY7MsLEMUB2RfoKGJR 3SUOGdk6xdJcdTxLzCoBaDCoZBSIe7w35zNPvaHJit3ojhFKpU0/USdKNzPlkXvOZ/yv GByrhy3GlxKHgIxIlSrAmwmx+parl4WVgkOWDYm00fkkZjKuIk9JM7ABoeODtrDK8EYq l9jMaGIM8mPyJrMVl20HXzmqp1u9j9lONlOqVdEpp1ba3m/caF83luBtKPMxtNNjsLih 4X/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kLzF2aCpelPH0qoBJ4do2Rl6ue/Ikl5aXUOzdkVkXB8=; b=Qp9s4Zxv+/On8tZNJNdLDIgOARZPIX9JM0R+3hhU8l7IuwngqPWk8WEL89Eg5fFft1 isrQFLOT+AhlzM8D/Peecm8fTakRz1QVMRinR1nJnKfGH7us5vqoQUzNMpU7Vpe8V8kL Vi2RGAnQk9Fmf6XHaPoioGMiSwQsz3IuDZ34Pwt4x2LOgn/OUOU+8ZCx/HmJbWzY5jtU +U1q94uz/KsKOFgDE+HwhMYf3xadIHeI4lwDdvr253Pm67xi79xw5Vu3dGq7ciNpRJR+ 6s6kBj14mmZ2LtGE3SPDWtZxYZA6sZb0dgZnCmHlEKivSVa2YfNcdxwrEMluDWndqXGp /Ygw==
X-Gm-Message-State: AOAM531nIItBzzyFkmXMEZstpuFAVY7zXXts0AEbgrQXCc7yX4zsNAFP luhA5JwB8B+C4uUHLAdKEQk5f0Rudiu8bJEpIxE=
X-Google-Smtp-Source: ABdhPJx/GBLr3IF7T0CtfX26eyaxdpa5ZfVQ7xxihqEmZxWWTCKrooW21BogIosQV46GxcgKsJIqVtM2E0g9si/7Hys=
X-Received: by 2002:a6b:d119:: with SMTP id l25mr468969iob.192.1593579344062; Tue, 30 Jun 2020 21:55:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SyTv7Oc3XX19b5T2uVn2MGATneVfaoKfDRpxVpYc19u1w@mail.gmail.com> <94C306DF-A9D9-4FAC-8C4B-AE3E90E29417@nbcuni.com>
In-Reply-To: <94C306DF-A9D9-4FAC-8C4B-AE3E90E29417@nbcuni.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 30 Jun 2020 21:55:30 -0700
Message-ID: <CAChr6Swm1kTEvYUbtKLFZdsbxKXzyZPd3GQn49rjrgV0jjm=qw@mail.gmail.com>
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>, Paul Vixie <paul@redbarn.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b96d0605a95a1a25"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/moGNNMYJnLnSJD9_XH4fLCB7czg>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 04:55:47 -0000

On Tue, Jun 30, 2020 at 9:01 PM Deen, Glenn (NBCUniversal) <
Glenn.Deen@nbcuni.com> wrote:

>
> Should we design for the edge case where something bad happens, but is the
> exception or should we design for the 99% case when the home network is
> just fine?
>
> Granted hacks and attacks will happen, but while we should and do take
> reasonable steps to mitigate obvious problems, most of the time and most of
> the experience of home networks is that they aren’t compromised and behave
> the way their users expect.
>

Although only one example was given, it's a common problem. A web search
will turn up many other instances. Note that Mozilla's current approach is
resistant to such misconfiguration, whether or not it's malicious. Most of
these problems seem to be unintentional or the work of common criminals,
not anything more sophisticated.

I agree that DNSSEC or some other validation method might improve discovery
over DHCP etc, but have yet to see anything like that deployed. Examples
might help.


>
> This gets back  to Ekr’s question of declaring what threats you are
> actually worried about.
>

Private IPs should not be trusted as DNS servers absent client software
such as VPNs, enterprise management, or parental control features. I know
others disagree.

thanks,
Rob

v2.23.0 | Report a Bug | By Email