Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
Eric Rescorla <ekr@rtfm.com> Sat, 04 July 2020 00:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6946D3A0962 for <add@ietfa.amsl.com>; Fri, 3 Jul 2020 17:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-P7_M0UhLXA for <add@ietfa.amsl.com>; Fri, 3 Jul 2020 17:44:52 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D38E13A0953 for <add@ietf.org>; Fri, 3 Jul 2020 17:44:51 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id f5so23001714ljj.10 for <add@ietf.org>; Fri, 03 Jul 2020 17:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VUk44YrgKMmT7LFJA5sn8aYBB1I2nICa9rBQJhKas3Q=; b=U2+VXiEJO0Bnk9VeQfppCaccZmAuMGITDZb3cnKxrCh5QXnstajYgmW11SJbA2H/4G C5eLKm3h6xmiDL/dqWhr+HJQFqyTkrle/m/pJmHZPqyz+K209aOYYZZzJPtY6zM+B9dD ClMy6FhlZhaoP90zvkDKl6B5j5S6pPOFVncpF1uySZ7kwkWSYYyqGVGoVa6Nby5FJZl7 4MCzS4Su3qX3cd/2vIbu7QBR4w+xuG9hZEZXl9PvpiU8sp8FTf6J4sFOLHyriMOFswgO zOJqtPlc8kVnRdp+VqRcvB38v++zT1Lh1gd05PDD1jWJeQFUBOYFfrWs2ixNH+v1gJ0a qLbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VUk44YrgKMmT7LFJA5sn8aYBB1I2nICa9rBQJhKas3Q=; b=IfCRfV8wUCuv05aDoiU2y5wQ+/1u2rm2rla97mvG1yGwM8zGIdoIU4hNnG0YlGo+gS xTiYRy7GiD6o5h8GI5VZ8rGuA2Yz6x/7A0MOHFZIs9kGFHzJGyqJySDavU+l0ILxouSm OMX3U4xSt43EPF1LwrMVTejIVGgtkBHYK3lpFInV58trelME+9sT/q/LiddPih19gAW3 +5lVijShUoHwYv8I1weYPpXa0QbJgb8PKyozR1r6dM3MejSGJWu5/N4/TphLmKL3Rfhu Sxmw0HGqafkSyLTAnr4rezH6h0bS2uMee/cIELZG4QejeDCTw0YxZH4Cqc7BstvMKt3G VGDQ==
X-Gm-Message-State: AOAM533Qb9WPXDwFb0XyZVFv+qfyLWjoMPIeah1K4QTCH5tPzUKB2iyr 5z1Vk2pdE2h+DlP0UDKPKPPu4AZFlmERJrcUZgIfqg==
X-Google-Smtp-Source: ABdhPJz+YnkOmohTosn4c3j2QNhyKfx5P0ZSFpglhJtYTay47p386kwwsPt0Uml7egsTSUMzcgoML0LKkh1VqNDjm/U=
X-Received: by 2002:a05:651c:1044:: with SMTP id x4mr20276686ljm.409.1593823489939; Fri, 03 Jul 2020 17:44:49 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <1AB2782B-87C0-4991-8703-AE2C98411AFC@apple.com> <CABcZeBOyAb3HrX0ABM2ZFuz-_Vn+0sPk_88e2OwQ5U-DRjAxXQ@mail.gmail.com> <2013869.BjYadG0qc2@linux-9daj> <CABcZeBOoOQ1drRepe9oHCyFrgnRxomKBkno7b1CDcfRJAZqkHg@mail.gmail.com> <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
In-Reply-To: <CA+9_gVti4RO_0iz8kniwx7yJDi7iFRTNkYmGmfp434muAhMU_Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 03 Jul 2020 17:44:13 -0700
Message-ID: <CABcZeBN-D1=9TqBOTRjs6BS4k=GOW5cMK3T3x3Q8aLrV6GO-Hg@mail.gmail.com>
To: Puneet Sood <puneets@google.com>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>, Tommy Pauly <tpauly@apple.com>
Content-Type: multipart/alternative; boundary="000000000000f3f0c805a992f2f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/vhkjysyP6Z9MKoiQ1vXsldvg16A>
Subject: Re: [Add] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2020 00:44:53 -0000
On Fri, Jul 3, 2020 at 5:39 PM Puneet Sood <puneets@google.com> wrote: > > So, if we are to have unauthenticated discovery of Do[TH] servers, > > then we must have some other threat model. For instance we might > > think that the attacker can read all packets but for some reason > > can't impersonate the DHCP server. What I'm saying is that we should > > start by laying out what that threat model is and then we can define > > what, if any, technical measures add security benefit in that threat > > model. That would be true even if we knew that there weren't > > middleboxes which tampered with new record types. > > From RFC 3552, the threat model for unauthenticated discovery would be > passive attacks described in section 3.2. There is benefit to > upgrading from Do53 to Do[TH] even if the network between the client > and the DHCP server is secure - specifically when the DNS resolver is > further away on the network. This could be because the network > operator is running the DNS resolver further away (e.g. DHCP could be > on the home router for a typical home user) or the DNS resolver > specified by the ISP is operated by a third-party on a different > network. > Puneet, Thanks for your response. This certainly seems like a reasonable threat model. However, if this *is* your threat model, then it seems like it would be rather easier to just have the gateway router just proxy to the actual resolver over a secure channel. This would have several advantages: 1. It would not require defining any new discovery protocol. 2. It would work with any client, even older, non-upgradeable ones. 3. It would allow the gateway router to inspect the traffic and perhaps do filtering/monitoring/etc. (This last one seems like it's arguably not an advantage but given that that device can insert itself in the middle anyway....) -Ekr
- [Add] Draft Posting: CNAME Discovery of Local DoH… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… John Levine
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy
- Re: [Add] Draft Posting: CNAME Discovery of Local… Tommy Pauly
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] Draft Posting: CNAME Discovery of Local… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Patrik Fältström
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John R Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Martin Thomson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- [Add] Threat models Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Vittorio Bertola
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] Draft Posting: CNAME Discovery of Local… Puneet Sood
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy