Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <dougb@dougbarton.us> Tue, 21 August 2018 04:59 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5DE130DD9 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 21:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7ABZ-3u-QIs for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 21:59:14 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD1571292F1 for <dnsop@ietf.org>; Mon, 20 Aug 2018 21:59:14 -0700 (PDT)
Received: from [192.168.10.247] (71-9-84-238.dhcp.snbr.ca.charter.com [71.9.84.238]) by dougbarton.us (Postfix) with ESMTPSA id 5695B79C for <dnsop@ietf.org>; Mon, 20 Aug 2018 21:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1534827554; bh=PuGpWq39m8Nt3U4ttKnaTuLbyNSmx+u3lY1jdpXLurI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=LR2MvsZi7qbGV5yU9rkwTkDKNZiyLdLVARcJwj3wnfFtVN4kVXpJAoRCZf3iGvWTT +GYI56w1zJgqb9VgLMn3b3HQzr4LMAbAG4DGAKO+J/5JjKlhzsRYw1HSHdei+p0zlf jIo8tE/eX8c9QnMz00pQMFtWfGcMe0LDdCjs/4w4=
To: dnsop@ietf.org
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org>
From: Doug Barton <dougb@dougbarton.us>
Message-ID: <39906e2a-8c20-1a5e-c31b-baf5c3f7d7c4@dougbarton.us>
Date: Mon, 20 Aug 2018 21:59:13 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7jF-UE9Ygp7SBywXBQeNb89it_M>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 04:59:17 -0000

On 08/20/2018 06:11 PM, Paul Hoffman wrote:
> DHCP options are easy and cheap. However #2 was vexing. The proposal 
> that an OS say "oh look, there is a DoH server, I'll use that because it 
> is more secure than Do53" was what was controversial because of the 
> utter lack of DHCP security. Some of the folks on the mic line disagreed 
> with the assumption that, given two pieces of insecurely-acquired 
> information (a Do53 address and a DoH template) that the latter would 
> result with a more secure connection. A network admin can see the port 
> 53 traffic and see if there's crap in there; they can't see the inner 
> DoH traffic.

Paul,

You, like Ted, are looking at the problem the wrong way 'round. The USER 
is no worse with a DOH/DOT DHCP option than they are with the existing 
resolver option. 99.<many more 9s>% of users don't even know what DHCP 
is, they just want to connect their iDevice to the coffee shop WiFi.

Unless you can show how the user is harmed by the option, it's silly to 
oppose it.

Now, the network operator may very well be harmed by not being able to 
see the user's DNS traffic, if they are not the ones operating the 
resolver; because their opportunities to monetize NXDOMAIN, sell user 
data, etc. may be reduced, or go away entirely. If they ARE operating 
the resolver, they can still see all the DNS traffic they want to. And 
operators in the former case won't use the option anyway.

So again, what is the harm, to real world users, for having DHCP options 
to configure DOH or DOT?