IETF Logo Mail Archive

Re: [Add] What to do in this potential working group

Alec Muffett <alec.muffett@gmail.com> Wed, 21 August 2019 20:24 UTC

Return-Path: <alec.muffett@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9FD120091 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 13:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKZFuUZA4OmJ for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 13:24:35 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E01AD12002E for <add@ietf.org>; Wed, 21 Aug 2019 13:24:34 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id t5so1565366ybt.4 for <add@ietf.org>; Wed, 21 Aug 2019 13:24:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kT/Cg6qQEmr13Tf3ElFoAGOmJmJNeCR/Urf7QOoHxlY=; b=LOxMSjfOUxI2y2eLkYQlrJQq10IjuJPduVDlC21tzmI5QjMG4TNg7kuFa7Iv4ArgCi XJEve/tiziVfSvBXfa0xVvfOYuZs/YLfEAhHdQfdzHXptm1Ffxc9P2Xiu84HTRi06XZ3 uNctTonmxpEqA7nGJy/da4UXei0QoNQp1urNAajFjzL+Y873Qtx/UimG1aRCXc0XciQ0 k9VFgn2zuak+l3q/jZp6GJ7hN6ML+4r/cYxlp8XOgvk55zlgdwks8XtwK9Vj1X+Q5sL8 wcud15Yx0BjKl1mrWTDSIAhMmT2YBgcie6/iwxgJE0WtFXFarOC9J3axxUK8P6LvoOj+ 0Ggw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kT/Cg6qQEmr13Tf3ElFoAGOmJmJNeCR/Urf7QOoHxlY=; b=JfdFBdfTPkg90em7rTY6aJXVVqfsg1Ga0e3MAbUbXWlrForL/Qm/H0H9vfSLPDz/YH +t+B3NYF/TkKvvOO0n5K094+nsqaQG3RX/s+LaLFq99y3IayLvCXx2lgvNd73RSB3156 6xKAEssLjdXj6p+FmfFuHJhSMNLWQqLnbG/zsFmeF0HmhmHI1dRm+Ec3Q7sm5bDxea9N 2zokm6ATdWD1K3gsOueCSwT2tuetrSFtXf/pmd4q+q73w719SdpAKEucZQODreW7au8V hRB3bST4UeT+ODFfsmbH35fqEmlo2Aim9iiFLK0KNX2idX40pKTJL9E1b8Hze1L2uTzV SSfw==
X-Gm-Message-State: APjAAAVHhjYJkHCOpykdVUXyRVTVgIHjJkshFuVBPSteh2LsefIyxCa7 EVFx4nt3CsiUGfZMNSn9LW00b4V0YSWVU7v9jJk=
X-Google-Smtp-Source: APXvYqyRJROZ65ux82ZCNv2YF/AJcaGz91zdJeaI5eZytULhxJqckNqatdrZ7oiC5sa2u2KQ/j6la1MGRmjGlXslQZ4=
X-Received: by 2002:a25:778f:: with SMTP id s137mr25301197ybc.245.1566419073922; Wed, 21 Aug 2019 13:24:33 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
In-Reply-To: <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
From: Alec Muffett <alec.muffett@gmail.com>
Date: Wed, 21 Aug 2019 21:24:23 +0100
Message-ID: <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com>
To: David Conrad <drc@virtualized.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000787d260590a65ca2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wW20LA1sSy9k2ZDYQYgTiWhBGjQ>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 20:24:38 -0000

On Wed, 21 Aug 2019, 19:17 David Conrad, <drc@virtualized.org> wrote:

> Further, you cannot ensure to the end user that the “trusted” resolver
> operator has not tampered with the data, be it due to court order, internal
> attack, software bugs, etc.
>

But you can assure that it is a response from the resolver which you chose
(contracted?) to deal with,  rather than some happenstance resolver.

This latter is a major dent in the typical broad DNS threat model, one
which is glibly underplayed by those who would demand some theoretical and
upcoming "perfection" of trust - eg: DNSSEC - when a "better than extant"
option is already available and ready to be adopted by appropriate clients,
in the form of DoH.

To play with metaphor: Seatbelts won't protect you if your car's petrol
tank explodes or if a meteor lands on it; but that's not an argument to
deride seatbelts. One could attempt to make the argument "we won't need
seatbelts when we have a car which is proof against meteorite strike!" -
but I for one shall still wear them, and where they are not available - for
instance on a bicycle - then I shall not.

Equally: I shall (as available) use DoH, Do53, and perhaps even DoT on
occasion, and I shall look down scornfully upon anyone who suggests that
there is only one true DNS resolution transport.

And I will lobby for DoH as "better than extant, where available" — and not
hold my breath for bolt-ons like DNSSEC.

-a

v2.23.0 | Report a Bug | By Email