IETF Logo Mail Archive

Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers

Eric Rescorla <ekr@rtfm.com> Sat, 04 July 2020 00:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6946D3A0962 for <add@ietfa.amsl.com>; Fri, 3 Jul 2020 17:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-P7_M0UhLXA for <add@ietfa.amsl.com>; Fri, 3 Jul 2020 17:44:52 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D38E13A0953 for <add@ietf.org>; Fri, 3 Jul 2020 17:44:51 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id f5so23001714ljj.10 for <add@ietf.org>; Fri, 03 Jul 2020 17:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VUk44YrgKMmT7LFJA5sn8aYBB1I2nICa9rBQJhKas3Q=; b=U2+VXiEJO0Bnk9VeQfppCaccZmAuMGITDZb3cnKxrCh5QXnstajYgmW11SJbA2H/4G C5eLKm3h6xmiDL/dqWhr+HJQFqyTkrle/m/pJmHZPqyz+K209aOYYZZzJPtY6zM+B9dD ClMy6FhlZhaoP90zvkDKl6B5j5S6pPOFVncpF1uySZ7kwkWSYYyqGVGoVa6Nby5FJZl7 4MCzS4Su3qX3cd/2vIbu7QBR4w+xuG9hZEZXl9PvpiU8sp8FTf6J4sFOLHyriMOFswgO zOJqtPlc8kVnRdp+VqRcvB38v++zT1Lh1gd05PDD1jWJeQFUBOYFfrWs2ixNH+v1gJ0a qLbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VUk44YrgKMmT7LFJA5sn8aYBB1I2nICa9rBQJhKas3Q=; b=IfCRfV8wUCuv05aDoiU2y5wQ+/1u2rm2rla97mvG1yGwM8zGIdoIU4hNnG0YlGo+gS xTiYRy7GiD6o5h8GI5VZ8rGuA2Yz6x/7A0MOHFZIs9kGFHzJGyqJySDavU+l0ILxouSm OMX3U4xSt43EPF1LwrMVTejIVGgtkBHYK3lpFInV58trelME+9sT/q/LiddPih19gAW3 +5lVijShUoHwYv8I1weYPpXa0QbJgb8PKyozR1r6dM3MejSGJWu5/N4/TphLmKL3Rfhu Sxmw0HGqafkSyLTAnr4rezH6h0bS2uMee/cIELZG4QejeDCTw0YxZH4Cqc7BstvMKt3G VGDQ==
X-Gm-Message-State: AOAM533Qb9WPXDwFb0XyZVFv+qfyLWjoMPIeah1K4QTCH5tPzUKB2iyr 5z1Vk2pdE2h+DlP0UDKPKPPu4AZFlmERJrcUZgIfqg==
X-Google-Smtp-Source: ABdhPJz+YnkOmohTosn4c3j2QNhyKfx5P0ZSFpglhJtYTay47p386kwwsPt0Uml7egsTSUMzcgoML0LKkh1VqNDjm/U=
X-Received: by 2002:a05:651c:1044:: with SMTP id x4mr20276686ljm.409.1593823489939; Fri, 03 Jul 2020 17:44:49 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com> <CABcZeBOyAb3HrX0ABM2ZFuz-_Vn+0sPk_88e2OwQ5U-DRjAxXQ@mail.gmail.com> <2013869.BjYadG0qc2@linux-9daj> <CABcZeBOoOQ1drRepe9oHCyFrgnRxomKBkno7b1CDcfRJAZqkHg@mail.gmail.com> <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
In-Reply-To: <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 03 Jul 2020 17:44:13 -0700
Message-ID: <CABcZeBN-D1=9TqBOTRjs6BS4k=GOW5cMK3T3x3Q8aLrV6GO-Hg@mail.gmail.com>
To: Puneet Sood <puneets@google.com>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>, Tommy Pauly <tpauly@apple.com>
Content-Type: multipart/alternative; boundary="000000000000f3f0c805a992f2f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/vhkjysyP6Z9MKoiQ1vXsldvg16A>
Subject: Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2020 00:44:53 -0000

On Fri, Jul 3, 2020 at 5:39 PM Puneet Sood <puneets@google.com> wrote:

> > So, if we are to have unauthenticated discovery of Do[TH] servers,
> > then we must have some other threat model. For instance we might
> > think that the attacker can read all packets but for some reason
> > can't impersonate the DHCP server. What I'm saying is that we should
> > start by laying out what that threat model is and then we can define
> > what, if any, technical measures add security benefit in that threat
> > model. That would be true even if we knew that there weren't
> > middleboxes which tampered with new record types.
>
> From RFC 3552, the threat model for unauthenticated discovery would be
> passive attacks described in section 3.2. There is benefit to
> upgrading from Do53 to Do[TH] even if the network between the client
> and the DHCP server is secure - specifically when the DNS resolver is
> further away on the network. This could be because the network
> operator is running the DNS resolver further away (e.g. DHCP could be
> on the home router for a typical home user) or the DNS resolver
> specified by the ISP is operated by a third-party on a different
> network.
>

Puneet,

Thanks for your response.

This certainly seems like a reasonable threat model. However, if this *is*
your threat model,
then it seems like it would be rather easier to just have the gateway
router just proxy
to the actual resolver over a secure channel. This would have several
advantages:

1. It would not require defining any new discovery protocol.
2. It would work with any client, even older, non-upgradeable ones.
3. It would allow the gateway router to inspect the traffic and perhaps do
filtering/monitoring/etc.
(This last one seems like it's arguably not an advantage but given that
that device can insert
itself in the middle anyway....)

-Ekr

v2.23.0 | Report a Bug | By Email