Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <dougb@dougbarton.us> Wed, 22 August 2018 05:05 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1B7130E57 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 22:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fhq0woZLlceB for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 22:05:40 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4218130E48 for <dnsop@ietf.org>; Tue, 21 Aug 2018 22:05:40 -0700 (PDT)
Received: from [192.168.10.247] (71-9-84-238.dhcp.snbr.ca.charter.com [71.9.84.238]) by dougbarton.us (Postfix) with ESMTPSA id 39FBD79C for <dnsop@ietf.org>; Tue, 21 Aug 2018 22:05:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1534914340; bh=p8k4hGJqi/1fRIjRJduhdt2LB+qyv3Ea3F+ZrgKwEl4=; h=Subject:To:References:From:Date:In-Reply-To:From; b=QQruZ8VixDiU+vpc3wegAPjw6RkPS1TWjNMpFGb0y32qMWj/w/wDc18kvSi9bUQ4n YqXa3HwoNcvW+99Gl3MfrvqQNGXa9UgXGfVStnY17MWNdn7ylouPEWXl57UewZC7dv TERFOGaham9JQiGvG/JRGhp5BAcQaNdbT45Sgf2w=
To: dnsop@ietf.org
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <39906e2a-8c20-1a5e-c31b-baf5c3f7d7c4@dougbarton.us> <CAPt1N1nAm62ckNQjii3N6Df1ByQTo+d8Tmc9ifuBMVBmeDkj2w@mail.gmail.com> <eda78918-31ee-80dc-ea51-7467d4a8e23a@dougbarton.us> <CAPt1N1nMPo7pd0f_F16svP71dtx5F+2Xez-R9K9FeWkSC+Rnsg@mail.gmail.com>
From: Doug Barton <dougb@dougbarton.us>
Message-ID: <cf88aab9-4e57-9c6a-2fcf-5799f2e155f8@dougbarton.us>
Date: Tue, 21 Aug 2018 22:05:39 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAPt1N1nMPo7pd0f_F16svP71dtx5F+2Xez-R9K9FeWkSC+Rnsg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cyZB6wZnVRSVvC8Nohp0rS9HZMg>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 05:05:43 -0000

What conflicting information?

On 08/21/2018 08:11 PM, Ted Lemon wrote:
> We aren’t even talking about the same thing. I’m talking about figuring 
> out whether we need to offer guidance for how a host implementation 
> would handle conflicting information and, if so, what guidance to 
> offer.  You are talking about one of a number of different ways of 
> configuring DoT.
> 
> On Tue, Aug 21, 2018 at 11:04 PM Doug Barton <dougb@dougbarton.us 
> <mailto:dougb@dougbarton.us>> wrote:
> 
>     On 08/21/2018 05:48 AM, Ted Lemon wrote:
>      > On Tue, Aug 21, 2018 at 12:59 AM, Doug Barton
>     <dougb@dougbarton.us <mailto:dougb@dougbarton.us>
>      > <mailto:dougb@dougbarton.us <mailto:dougb@dougbarton.us>>> wrote:
>      >
>      >     You, like Ted, are looking at the problem the wrong way 'round.
>      >
>      > And this, in a nutshell, is why this discussion has gone on so long.
>      >   If you just caricature what the people you're conversing with say,
>      > then it's inevitably going to go like this:
> 
>     [ Snipped a bunch of arguments I didn't make ]
> 
>      > This is why discussions balloon in the IETF.   So now I have the
>     choice
>      > of either being silenced, or continuing to be Person A in this
>     charade.
>      >   I think I've spoken my peace.   If you want to proceed with
>     this work,
>      > please do not be surprised if, when the call for adoption comes,
>     I come
>      > in and say "I raised substantive objections to this, which were not
>      > addressed, so please do not take this on as a working group item."
> 
>     Ted,
> 
>     While I'm not concerned about the issues you raised in your caricature,
>     I feel that I have tried to engage you in your discussion of different
>     security models. My understanding is that your models devolve down to
>     two. Either the user configures a resolver themselves (whether it's
>     DOH/DOT or not), and user doesn't configure a resolver themselves. I
>     recognize the distinction you made between your models 1 and 3, and
>     further recognize that it's extremely important to some people. My
>     point
>     is that *from the standpoint of a DHCP option for DOH/DOT* it's not
>     relevant.
> 
>       From our discussion, it seems that you're in agreement with me
>     that if
>     a user isn't configuring a resolver explicitly that they are no worse
>     off with DOH/DOT than they are without it. Am I right so far?
> 
>     Meanwhile, you've also voiced an opinion that the presence of a DHCP
>     option implies some sort of endorsement by the IETF. I (and others)
>     replied that we've never heard of this, and disagree strongly with your
>     position.
> 
>     So other than the fact that we disagree on the endorsement issue, what
>     am I missing here?
> 
>     Doug
> 
> 
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop
>