Re: [DNSOP] Draft for dynamic discovery of secure resolvers

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 21 August 2018 01:11 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D600B130E07 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 18:11:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oduJfhQzQQJK for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 18:11:17 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D989F124D68 for <dnsop@ietf.org>; Mon, 20 Aug 2018 18:11:16 -0700 (PDT)
Received: from [169.254.224.5] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w7L1Alqe064046 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Aug 2018 18:10:49 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [169.254.224.5]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Tom Pusateri" <pusateri@bangj.com>
Cc: dnsop <dnsop@ietf.org>
Date: Mon, 20 Aug 2018 18:11:10 -0700
X-Mailer: MailMate (1.11.3r5509)
Message-ID: <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org>
In-Reply-To: <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HojTcRqzkyf4AOSvIICsg7pqj_g>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 01:11:19 -0000

On 20 Aug 2018, at 17:47, Tom Pusateri wrote:

>> On Aug 20, 2018, at 12:42 PM, Tony Finch <dot@dotat.at> wrote:
>>
>> Marek Vavruša <mvavrusa=40cloudflare.com@dmarc.ietf.org> wrote:
>>>
>>> https://github.com/vavrusa/draft-dhcp-dprive/blob/master/draft-dhcp-dprive.txt
>>
>> This is interesting to me because I want to support DoTH on my campus
>> resolvers.
>>
>> Regarding DoH, the DHCP option ought to include a URI template (there
>> isn't a .well-known for DoH). I plan to set up my servers so that
>> misdirected attempts to get web pages from the DoH server are 
>> redirected
>> to the relevant documentation; that's much easier if the DoH endpoint
>> isn't at the server root.
>
> Our variant of this same idea that Willem Toorop and I presented at 
> the DRIU BOF in Montréal has a URI for the DoH case:
>
> https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00 
> <https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00>
>
> But let me remind everyone that there was a lot of people agreeing 
> with Ted in Montréal and so far, Ted appears to be standing all by 
> himself.
>
> Where are all the other folks that shot down this idea earlier? :)

Judging what was said at an excited mic line is always challenging. :-) 
Two issues are being conflated here:
1) a DHCP option to include a URI template
2) how the DHCP client in an OS would use that option

DHCP options are easy and cheap. However #2 was vexing. The proposal 
that an OS say "oh look, there is a DoH server, I'll use that because it 
is more secure than Do53" was what was controversial because of the 
utter lack of DHCP security. Some of the folks on the mic line disagreed 
with the assumption that, given two pieces of insecurely-acquired 
information (a Do53 address and a DoH template) that the latter would 
result with a more secure connection. A network admin can see the port 
53 traffic and see if there's crap in there; they can't see the inner 
DoH traffic.

--Paul Hoffman