Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
"Martin Thomson" <mt@lowentropy.net> Mon, 16 December 2019 04:06 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74CB01200B4 for <dns-privacy@ietfa.amsl.com>; Sun, 15 Dec 2019 20:06:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=n+2URDlK; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=s+ODZKtR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4HzKJMUMfxs for <dns-privacy@ietfa.amsl.com>; Sun, 15 Dec 2019 20:06:50 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A68120059 for <dns-privacy@ietf.org>; Sun, 15 Dec 2019 20:06:50 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 462F121F8E; Sun, 15 Dec 2019 23:06:49 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Sun, 15 Dec 2019 23:06:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=F3K30p/iRs8YdDo7R9jB0ZPKHZfs q7F+dXGZuUdr55o=; b=n+2URDlKpz4ujmndXzppvAAuwgpiYAQGaxXGZqZgrhT+ 8MixJ3qF4zPIMTG71pVfZGw2mZNkcUzWNlG80pn2HzAbYd7HDg/qPLYDBlNtrcBq fgK0W3aBS96v3AHnAlbryZ1hpvMiZJ8X3iwyotu/B2Z3CLlZ2c0nMZMBXgCm/MGO gw56oYxkKdefh4E2GSMfrkgyw7+KcidWMGr2tMzhXNGUgOZ5mN18lwi2ygamwX5H 9MYc3y6c0mvWkB0BhYpFUCGga2Mk3iXENFAOdsktudkTdw944p+o7L9RpsCNZi+W 83HhdAZsJH3XUZnOeq66M/M80QJlWJphwZZkPm31CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=F3K30p /iRs8YdDo7R9jB0ZPKHZfsq7F+dXGZuUdr55o=; b=s+ODZKtRA0sShyf31istMz J7CeZG6ZXWBicP8jDtlpYxRhCcMdYi+XbAa6BHPYMtbYXbwrZiuVkxin4c+EwqCW v0flB9I7gr7lVDvS96qcSLA8+07eAEU+VAtSdwnuKueJmrnv2hoRkv3E5KCbCoNq gENaTU00nDuU3R+Q5VnpQFA+bHTcYRM1Wszh25fKqWOJo0piH3Lq02wNozReSifn OLRomktWC5YmxSTNhJ6aAHGuRH/IrjGXMeaPUxoHRbw24UyB4hzYEdBnHUrWvlcv BSG1cMh0FYjkg+iCgcyP0heS2OdoHERNjMoPaaAaLgWYXMNsD0Dyfx2EAM+NwxMQ ==
X-ME-Sender: <xms:2QL3XZHPIPR--cbJ4mQkRvfyjyCAxJvPe0NiSCzE_vwMhyvVeQj15w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddtgedgieeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurhepofgfggfkjghffffhvffu tgesthdtredtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomh htsehlohifvghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehgihhthhhusgdrihho pdihohhuthhusggvrdgtohhmnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofi gvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:2QL3XaJG5zAcwjePg6xXxlzwSlKWTwZ9mEy_1aKU1u7y1oXbCbQFmA> <xmx:2QL3XRnDrVAwBkm_7yIivGym4PPB6pXok0vomW2QF-m8ipyNymEc3Q> <xmx:2QL3XbyMe5ScBiAwSdb69m9RXQhUN2uGBu21JYa7O8BrzDAZKxhp3w> <xmx:2QL3XX26EARwwNnlnFxfpbdCH58PoDWjVvOfyMFDBY_M8kpuH-4XbA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 075E4E00A2; Sun, 15 Dec 2019 23:06:49 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-680-g58d4e90-fmstable-20191213v1
Mime-Version: 1.0
Message-Id: <0269b662-17d6-4302-bb65-afaa627dd2e0@www.fastmail.com>
In-Reply-To: <57E4F3C9-B313-4F8F-B7AE-F815A8966BA7@bangj.com>
References: <CA+9kkMAmsK746ViRb9tXkJX+t_paOGpWCN3i78WK_t86bLGUnQ@mail.gmail.com> <CAKC-DJhiZAv8gESrhvUc5v86TcRXrfASq4ujQ3BxOYnuENrBjg@mail.gmail.com> <CA+9kkMA1LC2tMKjqF5Lvthhs+3iNS=hUZLoJXqZG9F8COutDUA@mail.gmail.com> <1e2a07b6-89cc-40aa-a617-db39765779a6@www.fastmail.com> <57E4F3C9-B313-4F8F-B7AE-F815A8966BA7@bangj.com>
Date: Mon, 16 Dec 2019 15:06:32 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Tom Pusateri <pusateri@bangj.com>
Cc: dns-privacy@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/xwd63XlYH_thq1CQDj5HdlUKgXI>
Subject: Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 04:06:51 -0000
On Mon, Dec 16, 2019, at 13:40, Tom Pusateri wrote: > > > > On Dec 15, 2019, at 7:35 PM, Martin Thomson <mt@lowentropy.net> wrote: > > > >> So, let's back up a step: are people interested in using DHCP and RA as > >> part of the discovery story here or not? > > > > I am. > > > > I tend to think that https://thpts.github.io/draft-peterson-dot-dhcp/draft-peterson-dot-dhcp.html is a reasonable start here. Sure, it makes some assumptions, and leaves some of the harder 8310-style questions unanswered, but that's where I think we should be paying more attention anyway. > > This is at least the fourth list that DoT discovery over DHCP has been > discussed (see DoH, DNSOP, and DRIU). > > In the previous three times, it was rejected as not a trustworthy source. [...] > https://www.youtube.com/watch?v=cfEX8zuoRAA I refreshed my memory here and I my interpretation of Ted's presentation is perhaps different than what you took away. I could make one of two inferences: 1. Don't allow the network to configure DNS. You can't trust it. 2. Be clearer about the trust model when you allow the network to provide this information. There was a bunch of other noise about the shortcomings of DHCP, but this was the central point. The first might be read as a firm argument for certain DoH deployment arrangements. Arrangements that have proven to be highly controversial. Your own introduction to the next presentation acknowledges the shortcoming and even identified a trust model or two that might fit within the remit of the second option.
- [dns-privacy] Discovery of DNS over (not 53) and … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Erik Nygren
- Re: [dns-privacy] Discovery of DNS over (not 53) … Paul Wouters
- Re: [dns-privacy] Discovery of DNS over (not 53) … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vittorio Bertola
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vladimír Čunát
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Dan Wing