IETF Logo Mail Archive

Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers

Eric Rescorla <ekr@rtfm.com> Fri, 26 June 2020 22:08 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C05D43A0CE7 for <add@ietfa.amsl.com>; Fri, 26 Jun 2020 15:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6_w1WJ2_0n8 for <add@ietfa.amsl.com>; Fri, 26 Jun 2020 15:08:43 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 731CF3A0CE5 for <add@ietf.org>; Fri, 26 Jun 2020 15:08:43 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id d21so5944479lfb.6 for <add@ietf.org>; Fri, 26 Jun 2020 15:08:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dYEbaBvVagTr55yGbDCHNtDgqo36vxg7OGumMrJOjt8=; b=STfn0w2fIy4dbflD2ojpk9wEAW4QRO56TBCObj48MwpdlSlJefV8LtAcA036qFiO0p lTU4qj8iT1LaXdiAgcqXuw+8o29EWlDmv3sYsofNV6uutrdX618Y6hDZYSgXR0sTODky KglZW3HJWgb3IQl6mpL9M4aPE7LkqGBY75RW72Tfwmp4SPu/3yEHs0X5Ldho+V9MavDV v/OyxKxDdwIMT85AqN3dJzRz/ZpcXDI8TUh2N2nXwFPMB5BEtVWd20MUVDV8RJFbFaio eBRsBLhmLlPGnGN86V+d6WIInKqm2FCljfMpQbdnihcRrqauVRxC0O248hkEPiRHLqRM YH8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dYEbaBvVagTr55yGbDCHNtDgqo36vxg7OGumMrJOjt8=; b=tLwe3jt8C4uIPP8lttwTSkzbmqgYf9RJ2vuURyDnEzcX1wYywo3okiBJeBm+IWEVqY qE37h4vZi5X21f1/nRduQJIzt5XgcxDUEsDf9FfpzgBQMC6F3fEBZEa+TJ0CzPqxGhNP CAdLc7HgCr2eWHDJHfXIuhhiyDD4Sk7UAVS+lTh4XCVf5Emh4yRUsqjbVLzwzL8H2om1 sFoq6G/rsqDYfJf3lxIH7F3AGfsaDLTZLRe31NkO2m+/F4n37GUYgVqg9Hv2zNUvQ9E+ LXf+TFl4iZOLj21FwGBtOPG4T+tWM+Z52LJXYweDFKvDLp3KVLZEEWWymuOoWo52ttgZ cqFA==
X-Gm-Message-State: AOAM530H157JwcOHDSvhPfFepV1UdM1Zlf8tfhXVbKQUv2fl6sdQJRRT KaB1APq7N+HYbZWlfIEC06urY4r385cbAT3wf+pbOA==
X-Google-Smtp-Source: ABdhPJyJLQnjFbonY1CrGuDt506uVmspwQxtqkX/04OrDYcB2ten/JsuzqHpIciYpbOYGqdz4O9OiRfFT6pv1F0BSvI=
X-Received: by 2002:ac2:4c2a:: with SMTP id u10mr2954740lfq.168.1593209321436; Fri, 26 Jun 2020 15:08:41 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com>
In-Reply-To: <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 26 Jun 2020 15:08:05 -0700
Message-ID: <CABcZeBOyAb3HrX0ABM2ZFuz-_Vn+0sPk_88e2OwQ5U-DRjAxXQ@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a872ca05a903f325"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/pEmpmwL830U-pCXOSlhupR3BXLg>
Subject: Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 22:08:46 -0000

On Fri, Jun 26, 2020 at 2:46 PM Tommy Pauly <tpauly@apple.com> wrote:

> Hi Ekr,
>
> Thanks for sharing this draft. Very exciting to see this step forward in
> supporting the automatic use of DoH.
>
> Regarding the choice of using DNS + CNAME, I completely understand and
> sympathize with the practical deployment aspects. Going forward, I’d like
> to see if collectively we can use a record that gives a full DoH URI. Your
> draft does reference the option of using HTTPS RRs for this, as Tommy
> Jensen has proposed in
> https://tools.ietf.org/id/draft-pauly-add-resolver-discovery-00.html#name-discovery-of-doh-capabiliti
> .
>
> In my email to this list just a bit ago, I mentioned that we’re starting
> to request these RR types (well, the older version for HTTPSSVC, but will
> be updated) on the iOS and macOS betas. Hopefully we can measure based on
> that how much RRType interference exists in networks. I’d be curious to
> hear what kinds of measurements the Mozilla team is taking in this space,
> as you are able to share.
>

We're just starting the work to collect data, but we expect to publish it
once we have it.


I’d also be interested to have a discussion here about the acceptable
> ranges for breakage. Certainly, if the percentage of home wifi setups that
> fails with a new RRType is very high, it’s a problem. However, if the
> percentage is lower but still significant (say, 5%?), we can consider the
> tradeoff of solutions. Intolerance to passing unknown RRTypes is one way
> that this could break; however, there are many other ways a local wifi
> router could potentially interfere. For example, a wifi router might not
> recurse to the ISP's DNS resolver, but some other resolver (which if it is
> 1.1.1.1 or 8.8.8.8 would support DoH, but could be something else that
> doesn’t).
>

Sure. Though note that it's proxying to a non-TRR resolver then whether it
filters CNAMEs doesn't matter because the intent here would be to use a
default TRR.

I'd be interested in hearing what tradeoffs you see here. Other than
inelegance, what's problematic about the CNAME approach?


There will always be *some* tail of networks that won’t work, even with the
> CNAME approach; and I’d like to see a long-term solution that allows for
> richer information than just a hostname. Thoughts?
>

Well, as I said when this group was first formed, we should start by
figuring out what we are trying to accomplish and the threat model.

For the TRR case, it's not actually the hostname we are interested in but
rather the identity of the network-associated TRR. The hostname is just a
convenient lookup key. If an ISP told us they wanted to use
"<isp-name>.invalid" that wouldn't be a problem for us as long as it was
unique.

The scenario you seem to be interested in is one in which the user joins
the network and then learns that the associated Do53 resolver supports DoH
and then connects to it with whatever coordinates that resolver (or DHCP or
whatever) provides. That clearly is not useful in the 3552 threat model
which assumes that the attacker entirely controls the network because the
attacker can just send their own resolver coordinates. That isn't to say
that there aren't more limited but still realistic threat models where this
would be useful, but I think you should start by describing those.

-Ekr


> Best,
> Tommy
>
> On Jun 25, 2020, at 7:05 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Hi folks,
>
> As has been noted previously, the current Firefox DoH/TRR design
> bypasses the ISP resolver even if the ISP resolver supports DoH.
>
> I have just posted draft-rescorla-doh-cdisco-00, which describes a
> CNAME-based mechanism for discovering when a local resolver supports
> DoH/TRR. Firefox can then determine whether that resolver is on the
> TRR list and if so can use it in preference to generic resolver.. The
> use of CNAME was chosen for pragmatic reasons (laid out in the draft).
> We're studying other designs but thought it would be a good idea
> to document this one.
>
> See: https://www.ietf.org/internet-drafts/draft-rescorla-doh-cdisco-00.txt
>
> -Ekr
>
>
>
>
>
>
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>
>
>

v2.23.0 | Report a Bug | By Email