Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <dougb@dougbarton.us> Mon, 20 August 2018 00:28 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01FAD130E09 for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 17:28:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7NXgkB0HL3f for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 17:28:13 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E63E1277D2 for <dnsop@ietf.org>; Sun, 19 Aug 2018 17:28:13 -0700 (PDT)
Received: from [192.168.10.247] (71-9-84-238.dhcp.snbr.ca.charter.com [71.9.84.238]) by dougbarton.us (Postfix) with ESMTPSA id B908C79C for <dnsop@ietf.org>; Sun, 19 Aug 2018 17:28:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1534724892; bh=ncb+ynCaerU12a9Xma+WTHva8cxGbGb2UMlIb4kEbXI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=TEUXEEoGmm6gGVkEklnGyDjZZAmIiHxmlSuT5WSDpPZHATnZG8+7TX8qlQ6rmVprX Zkb6CozaT/i6FA6ckySr8FKj1C5IKyWTWYntoIJvIMwaqAAmYqTGDN48imQlBCMUE/ 5/M6VFdR9ypSL00WQz2DJmwkiH1mnWF0qcN6ibDY=
To: dnsop@ietf.org
References: <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com> <53074d98-a8ef-9127-edc7-d3e3188c2453@dougbarton.us> <CAPt1N1muo07jvDmyM+oL96Ow1RXGcsgVKX51S86CUcedirzvew@mail.gmail.com> <20180819.204841.532639858.sthaug@nethelp.no> <CAPt1N1nFW_h1i9cetKXm1isp9aUDKH73ZB+3trabFZd9NSDZkw@mail.gmail.com> <40510317-dadc-7d93-543a-7da71fafd288@dougbarton.us> <CAPt1N1kHHKwKiKsncK7QjHNPsCs5mCOzp_=1LO=Ci3HfQ9dw7Q@mail.gmail.com> <CAArYzrKTehNQ=4hS+QG_VuN-+x-aX6o2c88WgY4OrnhMa-xv9g@mail.gmail.com>
From: Doug Barton <dougb@dougbarton.us>
Message-ID: <d3e70186-34d8-01d2-fa08-bb4ba3a16fd4@dougbarton.us>
Date: Sun, 19 Aug 2018 17:28:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAArYzrKTehNQ=4hS+QG_VuN-+x-aX6o2c88WgY4OrnhMa-xv9g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RjFLQvmY891Jfc2tMo2ipMA5g6Y>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 00:28:14 -0000

On 08/19/2018 04:57 PM, manu tman wrote:
> 
> 
> On Sun, Aug 19, 2018 at 4:46 PM Ted Lemon <mellon@fugue.com 
> <mailto:mellon@fugue.com>> wrote:
> 
>     A user who relies on the dhcp server for dns server info is no worse
>     off. The problem is that if your host lets the dhcp server override
>     the DoT or DoH configuration you entered manually, you are a lot
>     worse off. 
> 
> 
> 
> This seems to be a static vs dynamic setup. Either you use dynamic and 
> you will happily accept what you get from DHCP and possibly upgrade to 
> (HTTP|TL)S or you have set your resolvers statically and you are already 
> ignoring the nameservers provided by the DHCP server.
> If you do not accept the servers provided by DHCP, there is no reason 
> you would accept extra attributes for those same snameservers.
> Manu

Yes, those are my thoughts precisely.

I don't see a risk model where a user configures DOH or DOT servers 
explicitly, but does not disable DHCP configuration for DNS. Am I 
missing something?