Re: [DNSOP] NSA says don't use public DNS or DoH servers

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 02 February 2021 03:38 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 426393A16F4 for <dnsop@ietfa.amsl.com>; Mon, 1 Feb 2021 19:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPmQO6XhA1EM for <dnsop@ietfa.amsl.com>; Mon, 1 Feb 2021 19:38:00 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B81213A151F for <dnsop@ietf.org>; Mon, 1 Feb 2021 19:37:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 949BA3899B for <dnsop@ietf.org>; Mon, 1 Feb 2021 22:40:44 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id uotkrEzVEYPp for <dnsop@ietf.org>; Mon, 1 Feb 2021 22:40:43 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 83C0038997 for <dnsop@ietf.org>; Mon, 1 Feb 2021 22:40:43 -0500 (EST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3857718B for <dnsop@ietf.org>; Mon, 1 Feb 2021 22:37:57 -0500 (EST)
To: dnsop@ietf.org
References: <20210118212720.5E3806B53EC8@ary.qy>
From: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <f17cb276-69d5-8d3c-018b-7cd10cfd28da@sandelman.ca>
Date: Mon, 01 Feb 2021 22:37:57 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <20210118212720.5E3806B53EC8@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4EMAl7EIJpIWvjoGnAH5Fc4_YIM>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 03:38:03 -0000

On 2021-01-18 4:27 p.m., John Levine wrote:
> They think DoH is swell, but not when it bypasses security controls
> and leaks info to random outside people

Sage advice.
In the OPSAWG where RFC8520 (MUD) currently lives, we are trying to 
codify advice to to IoT manufacturers about these things.
please see recently adopted: draft-ietf-opsawg-mud-iot-dns-considerations-00
The -01 coming out next week with many clarifications.

Most of the advice is of the form, "Doctor it hurts when I poke myself 
in the eye", but there is a real tussle between shipping devices that 
work even when the "luser" (or their monopoly ISP) has toasted their 
local recursive server, vs privacy vs RFC8520 ACLs.

In fact, the reason I opened up the IMAP to dnsop (which I haven't time 
to read regularly, sorry), is because I wanted to ask to present at 
IETF110, with the hope of getting some additional review.
(I understand this WG decided not to standardize the term "QuadX", and I 
would dearly like an equally terse replacement)