IETF Logo Mail Archive

Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted

Eric Orth <ericorth@google.com> Tue, 28 April 2020 15:06 UTC

Return-Path: <ericorth@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D1F73A168F for <add@ietfa.amsl.com>; Tue, 28 Apr 2020 08:06:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlaOOe-BSgJF for <add@ietfa.amsl.com>; Tue, 28 Apr 2020 08:06:02 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDADC3A168B for <add@ietf.org>; Tue, 28 Apr 2020 08:06:01 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id j2so25053886wrs.9 for <add@ietf.org>; Tue, 28 Apr 2020 08:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h8VA6tH6apjFglyzL28IshL+HXKBpsvH8Jq0BRRMKrQ=; b=Tt2qh76LPw9nFhqAqpxNP+WxVdBzHkmvoZWT/DHgKf+fxnd24gyKwV6OVQkoOgPqPA ihziR9EELTXjEE5n4zGd1H8gQb6uHRl2/hjXmdb9HgYc4hmVZCBXNIAciBYmWkzcQUmd weysHPIEYvmH6hhWjHDRkLs0rGgViCGt6FSvg3YIFeo5hbHyLveunyI9vNoTubAcznDs /4Av0IMmy2r+Ct4TnAM3dFdCvfwdgz+edKmovzFkT+lKyQhgW/yk5axxjammXbrhCPxo ASI4/9GFCg4p2/N8ZV+U3bhC1vEuwZ5nMkqgqRw2Uj6plUMW3MIcl+taBUwz+f0ISZnm QevQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h8VA6tH6apjFglyzL28IshL+HXKBpsvH8Jq0BRRMKrQ=; b=PdQ4kFj97RvUSQhHOf0wiP1s75LFp7LsMdcDteCF2fhrTTQrJoU1OLn8Rpeg+NcVki QwEYmQqJY+BdissP0nmH2Vg/pJTFvCLJ6eGTutKBANjcuTDcRY/hyViNOFE+Kuhj376t W8pKHb3Ul455FqR54EJct+ay++0bA2DTX5n7Y8Rg4ubL/+xbMuEyRsyF8KNW5xtxBI1K jqYPpF5zH3RYUcDd6YMdUlmdmwBEfu0l2r+/NWuq0jyVhmWs6nbL6FKfssyj99LUFz4c jgiWCeROBStftzrMMyaxnsojDOXrWDxUJu7uN7UYraGlltkkd0DsmxYlnNn+s+6KIgpX Dzgg==
X-Gm-Message-State: AGi0PubV4tA0HDe4qeiWd3j6xbZq6J/daZL01GVSaUCjOPz4ZHcwerpd zjv2WjJliyr6YpOgP8CNDF1JK5sGfE1HktyyGKUn3gdk
X-Google-Smtp-Source: APiQypIUZvsJ33HKApSwP0psy00UxBlLClWUl+wgedg2w6Uhw07wzXdgAjwW4aeU9yzxNgVKgnKc/xZYuXeKXgr4THM=
X-Received: by 2002:adf:f450:: with SMTP id f16mr33565517wrp.346.1588086359838; Tue, 28 Apr 2020 08:05:59 -0700 (PDT)
MIME-Version: 1.0
References: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org> <CAFpG3gebD-O0zzb7q-37gT-FWi9qC0owhxPkf1yARHq3CvjczQ@mail.gmail.com> <CAMOjQcHtqBTPfCC=VbspbCbeuB9kfSEMR6CJh0ZEBOoS1sOJWQ@mail.gmail.com>
In-Reply-To: <CAMOjQcHtqBTPfCC=VbspbCbeuB9kfSEMR6CJh0ZEBOoS1sOJWQ@mail.gmail.com>
From: Eric Orth <ericorth@google.com>
Date: Tue, 28 Apr 2020 11:05:48 -0400
Message-ID: <CAMOjQcHumQ1-CJww-5=mf2AtxcyN75b0cujjo7xitF24oGPTQA@mail.gmail.com>
To: ADD Mailing list <add@ietf.org>
Cc: Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/alternative; boundary="0000000000005a4ec805a45b2b4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rwNybl2Q_cS_9HmPj5p5so7AKzA>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 15:06:05 -0000

And another point regarding DNS vs HTTP mechanisms: Is there any concerns
regarding clients with DoH/DoT stubs but that rely on getaddrinfo() from
the system for Classic DNS? Would HTTP be more palatable for those clients?
Then again, if a client has a full DoH/DoT implementation, maybe easier for
them to add a Classic DNS implementation than it would be for many
recursives to add an HTTPS server.

On Tue, Apr 28, 2020 at 10:59 AM Eric Orth <ericorth@google.com> wrote:

> I generally support both documents and would support ADD adoption.
>
> Re draft-pp-add-stub-upgrade: I do worry that it goes a little bit too far
> into "policy" in laying out a specific algorithm, even if it's full of
> options to allow clients to choose their own behavior.  Might be better if
> framed more explicitly as a "descriptive example" rather than the
> prescriptive way to implement it.  But I find the draft overall helpful
> just for clearly laying out both the opportunistic DoT and the DoH resinfo
> tag.
>
> Re draft-pp-add-resinfo: Definitely think this is the best overall draft
> we have for the common problem of retrieving resolver information.  I'm
> personally conflicted on the HTTP-based mechanism.  Others have made some
> solid arguments against it already in this thread, but I would be sad to
> lose our best option for a secure mechanism.  It's correct that the DNS IP
> address typically comes from insecure DHCP, but in many cases that is only
> exposed on the limited local network or maybe the IP was set on the machine
> rather than using DHCP, so the resinfo messages could sometimes (often?)
> have a much bigger exposure.  Then again, since the internet seems not
> quite ready for CAs to widely give certs for IP addresses, maybe it would
> be best to remove it from this draft and create a new draft in the future
> once the mechanism becomes more viable.
>
> On Tue, Apr 28, 2020 at 10:19 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> Are you planning to replace
>> https://tools.ietf.org/html/draft-ietf-dnsop-resolver-information-01
>> with draft-pp-add-resinfo ?
>>
>> -Tiru
>>
>> On Fri, 24 Apr 2020 at 22:16, Paul Hoffman <paul..hoffman@icann.org
>> <paul.hoffman@icann.org>> wrote:
>>
>>> Greetings again. We have just published two drafts,
>>> draft-pp-add-stub-upgrade and draft-pp-add-resinfo, to address the easier
>>> problem that this WG wanted to tackle, namely how a stub can upgrade from
>>> plain DNS to encrypted DNS for the resolver it is currently using. The
>>> method in draft-pp-add-stub-upgrade is quite simple, but it includes all of
>>> the variables that we have heard in the discussion over the last year. The
>>> format in draft-pp-add-resinfo is the minimum needed for stub upgrade, but
>>> will also possibly be useful for the more difficult discovery protocols
>>> being discussed in the WG.
>>>
>>> Please let us know if you find these documents useful for the discussion
>>> of direct upgrade instead of discovery. Also, please let us know if we have
>>> missed any salient points. If so, we could ask the chairs to make these
>>> into WG documents.
>>>
>>> --Paul Hoffman and Puneet Sood
>>>
>>> https://datatracker.ietf.org/doc/draft-pp-add-stub-upgrade/
>>>
>>> Name:           draft-pp-add-stub-upgrade
>>> Revision:       00
>>> Title:          Upgrading Communication from Stub Resolvers to DoT or DoH
>>> Document date:  2020-04-24
>>> Group:          Individual Submission
>>> Pages:          7
>>>
>>> Abstract:
>>>   This document describes methods for a DNS stub resolver to upgrade
>>>   its communications with a known recursive resolver to include
>>>   encrytion using DoT or DoH.  This protocol is designed for the
>>>   scenario where the stub resolver already has the IP address of the
>>>   recursive resolver.
>>>
>>>   Other protocols under develpment address scenarios where the stub
>>>   resolver wants to discover recursive resolvers that use DoT or DoH.
>>>   This document does not cover such discovery.
>>>
>>>
>>> https://datatracker.ietf.org/doc/draft-pp-add-resinfo/
>>>
>>> Name:           draft-pp-add-resinfo
>>> Revision:       00
>>> Title:          DNS Resolver Information Self-publication
>>> Document date:  2020-04-24
>>> Group:          Individual Submission
>>> Pages:          9
>>>
>>> Abstract:
>>>   This document describes methods for DNS resolvers to self-publish
>>>   information about themselves.  The information is returned as a JSON
>>>   object.  The names in this object are defined in an IANA registry
>>>   that allows for light-weight registration.  Applications and
>>>   operating systems can use the methods defined here to get the
>>>   information from resolvers in order to make choices about how to send
>>>   future queries to those resolvers.
>>>
>>> --
>>> Add mailing list
>>> Add@ietf.org
>>> https://www.ietf.org/mailman/listinfo/add
>>>
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
>

v2.23.0 | Report a Bug | By Email