Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <mellon@fugue.com> Tue, 21 August 2018 02:28 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50B5130EA1 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:28:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CkQIc6YT8fl for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:28:57 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B3C8130EC6 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:28:57 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id r196-v6so7268048iod.0 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xfVeLsfvrsL5ibsHFR5BGJaTsteyhJeg3dvmhiGbp+Y=; b=fwbrIDRMk5rgQ6U0/2Jyfu0V9HtjdzBqtU0CAQUXHt3rJo/lIbzeLCmPTmM9psvlWR GwFHW7rum7OJ/79nwVu0zuGi7lPdJEbOMDRar438yniF6l0Z9UBGFXPoFi98oyJJ90su c8om79wA1NJnf6BgPMv8egLbAHk0ufNnLTb17qnExUQdvRWMu/wnXCPuILbbYJPhUYFD KCiTPMXV9Do+bqXTigItt3J8rqDyEl4HsyH7nfNFmBP2uKR+4f362BDG78fhX7jSX+go PjTyZZbz7rwscfNMfuCu7WnY0lyur4qtz1Mxg1Ru2fUv6nxQk6nlbs092F99ccWdg+mp cJSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xfVeLsfvrsL5ibsHFR5BGJaTsteyhJeg3dvmhiGbp+Y=; b=Q6b2A18SJRq4cmF5PrUh/0SvdptjElXZ6HEWJozYxnV61zIS/mE35mHV+w1mn7lzQB KHPUUpdOc8sbPYtOJEECeVRLLG+HLH6D3V5W5EPPwuSLgOcSS5xyN4GIzUiItiTryHHW oAaskl0GPk+iXi9f6s1LRIH6Kfl4PSaCXy3AGCtM01msPwAXeDlGmQflQ9jo1z2o9qPQ deTqdyxk4ZG1nqInS/lxFjwutABxrbEIUYB3KdWRsGJ643vr6t8RgjoSVRFg3ousN7TO K1k0fTdsELlVXUKzygMC3msqlJaJGIikdtrY/UFLIZTBK8nIbvcPv2tfObPWkwiNGb+6 giog==
X-Gm-Message-State: AOUpUlGU0i8yu9mdvN9wNg+oyDtmO9PnP7wG+n2g+xdduc4UtS+am6uP XodQ42T2vmYfnaPTIAd+hE9uFzvwcxYzSqjDyfMDOesD
X-Google-Smtp-Source: AA+uWPx8T8g4e5t6Mhikm3MT6+zzKzgCUWxiXi9oZroI5+VIO/6MY4U7xkhyi1M4fGCxlR32yJ6mtppXyugJ3HU3W0Y=
X-Received: by 2002:a6b:4c5:: with SMTP id 188-v6mr42563417ioe.32.1534818536403; Mon, 20 Aug 2018 19:28:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 19:28:15 -0700 (PDT)
In-Reply-To: <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <20180821014030.C2678AD6354@fafnir.remote.dragon.net> <922DCF48-BA8A-42B8-99BA-2B367D981568@bangj.com> <5B7B7718.7090301@redbarn.org> <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Aug 2018 22:28:15 -0400
Message-ID: <CAPt1N1k=xnSiF_DQXz6OS=MdRe5YHbL0CgXHAUdgWgH4vdBDMA@mail.gmail.com>
To: Tom Pusateri <pusateri@bangj.com>
Cc: Paul Vixie <paul@redbarn.org>, Paul Ebersman <list-dnsop@dragon.net>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a84f720573e8c9e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_cpKSl5N4-ib5UsRYMNIGELmli0>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 02:29:01 -0000

Of course, the question is, how does the consumer of that data decide what
is okay and what's not?   We can't just say that the server has to behave
correctly: someone has to enforce it.

On Mon, Aug 20, 2018 at 10:25 PM, Tom Pusateri <pusateri@bangj.com> wrote:

>
>
> > On Aug 20, 2018, at 10:21 PM, Paul Vixie <paul@redbarn.org> wrote:
> >
> >
> >
> > Tom Pusateri wrote:
> >> ... I don’t know if it’s generally accepted that DoH will replace
> >> UDP/53 or DoT in the stub resolver or DoH will just end up in the
> >> browsers as a way to speed up web pages. But if DoH stays in the
> >> browser and DoT is tried and used on all DNS servers, there’s not a
> >> problem to solve.
> >
> > if DOH is widely used by criminals, botnets, and malware to bypass
> perimeter security policy, then there will be a big problem and we will be
> solving it for many years to come, even if the browser is the only thing
> using it. browsers are where most modern vulns have occurred, and i expect
> that trend to accelerate. "because that's where the money was.”
>
> I can see good use cases and bad ones.
>
> If web servers did DNSSEC validation and only served addresses for names
> that were validated, I wouldn’t have a problem with that at all.
>
> If web servers only served addresses for names within the domain of the
> web server, I wouldn’t have a problem with that either.
>
> if they start serving non DNSSEC validated addresses for names outside
> their domain, I think they’re overreaching.
>
> Tom
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>