IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

Paul Hoffman <paul.hoffman@icann.org> Mon, 05 August 2019 14:45 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD0C12022C for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 07:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9vye0b79PZM for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 07:45:28 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8B0120232 for <dnsop@ietf.org>; Mon, 5 Aug 2019 07:45:28 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 5 Aug 2019 07:45:27 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1473.005; Mon, 5 Aug 2019 07:45:26 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Joe Abley <jabley@hopcount.ca>
CC: Martin Thomson <mt@lowentropy.net>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
Thread-Index: AQHVSylDBZVGE4j2BUmbVyh90EZz46bs+EwAgAAfj4A=
Date: Mon, 05 Aug 2019 14:45:26 +0000
Message-ID: <9D78DB49-4DC2-42A3-8036-163D2EE104D8@icann.org>
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <93191ae0-39e9-4a0f-9750-b553292266bd@www.fastmail.com> <CDF505A0-09FE-41C6-A197-46C407BE1AFF@icann.org> <e783894a-90de-4dcf-94c9-dee90982a650@www.fastmail.com> <A2FB32FA-E67D-4418-9592-C282EF11676E@hopcount.ca>
In-Reply-To: <A2FB32FA-E67D-4418-9592-C282EF11676E@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <043B3A01AAF33240BCE85CEF53546D1D@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NGn4gpHtoYf5pdl3dSPbCDk-USc>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 14:45:33 -0000

On Aug 5, 2019, at 5:52 AM, Joe Abley <jabley@hopcount.ca> wrote:
> I'm concerned about the cases where:
> 
> (a) the data enclosed within a RESINFO response includes embedded IP addresses that may not match the addresses that correspond to the resolver service as viewed from another addressing domain, and
> 
> (b) the potential for HTTPS and DNS ALGs to further confuse matters as the system generating the RESINFO response for one retrieval protocol might not be the same as for the other.

Both are fair points. But, having said that, which single transport for the resolver information would you pick? DNS is clearly more "native" to the resolver itself, but many people objected to the fact that it is unlikely to be authenticated due to lack of deployment of DNSSEC down the reverse tree, and significant lack of deployment of validating stubs. HTTPS is clearly easier to authenticate with trusted CAs or DANE (for those few stubs that do validate), 

> I realise it's tempting to imagine that HTTPS is not subject to explicit or implicit handling by ALGs; however, anecdotally at least, SSL-stripping (e.g. with jurisdiction-specific trust anchors installed on clients) is on the rise and not just in enterprise networks. I've also seen networks where traffic is routed by policy in different directions according to transport-layer addresses, e.g. for reasons of available capacity or latency.

Yep. The real question is whether we react to that by not using HTTPS at all, or use it anyway because it is more likely to get authentic answers to the client than DNSSEC is.

> So I echo the concern about having one protocol speaking for another. I haven't quite got my head around what I think about RESINFO in general but this particular aspect seems like a more general weakness that is worth highlighting.

We should definitely add this discussion to the draft if the WG adopts it. 

--Paul Hoffman

v2.23.0 | Report a Bug | By Email