Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <mellon@fugue.com> Tue, 21 August 2018 18:00 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15167130E7D for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 11:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIh1R7gzMnIP for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 10:59:56 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 035BF130FDC for <dnsop@ietf.org>; Tue, 21 Aug 2018 10:59:54 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id c22-v6so10001120iob.1 for <dnsop@ietf.org>; Tue, 21 Aug 2018 10:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3bM5XGszAfnfO4qUy/z0ycH8m6C6dJptZOrd7Tav05Q=; b=0rQpeFzUMR9L0jujSASEQR29dKFgIVZOIvGchTprOB285XLsNgPLzIRbVG3eUYCguW po9Ls8MAa3qv81+iJaH9+8XEYfl1MAWwwXePtJq/qlpY3aG0JFBzoHq69jf5VfW1aObE sddIjcfkcMny/PLRKxBhC0jnjWCINOiIlvTp9M5hz4frdidmYTfGHJLYtGzF5lHaUlR0 tyZbi/FPLsvtJbeuzvMf/bR/sfe0qdRbXDKzaaU9AtxkSaKPk++sqDPbMp+2ozg7isKB lWiEn3RUU4soH2tfsemgGRZ0OvDeWkD2UGch8QVGAt2DTXCqff8A+pf6h4InaGwN6EHI M8SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3bM5XGszAfnfO4qUy/z0ycH8m6C6dJptZOrd7Tav05Q=; b=sZzKVVCFJOuued1JDvcdyBtT0fnXxG6BmE0cT4dBzIqM4AuOJvH44H8tN1/OrqUfZy k7xF8oaIl57Ik6ZmzihwpdmNf2iKghBNbEK5n9nIDCocJrFhaxIO1b45mACWB2jxUGgE NFrjK626u5OAZprWfbe/X0mWXXKm9IFAP3MnIh73e6Lh8Dl6LnMTHuKGIpjHvqCUlq4Y C9R1ofznknIciAzG45SYbfq7eMK0pr6z+dJ5eqrva12SHT1/JdlqyUbpwZ21M//sCuFE IdL5QuZtOi/JbNedH3WF/Q/q4BeYr+9p5OSg8bqlueDtmS6rJzmK2RhPuUcS1b8nuX3O au7g==
X-Gm-Message-State: AOUpUlEb31dD8qvO+uyEe1cvjsqd5mr+mh63G9RjcJtbgRsLRK1USeYL wS6NP4LCuKMNjWSRc3uNPVHRCywUmKhkZbFocLZ3eV6o
X-Google-Smtp-Source: AA+uWPzcVeU9D/Yy3zmh+DWFOtmz4Z14VSJtLJBxVvw3idVNY5nY9Cka/OFXbNpPNI0nT2EI4o05xCCu+R8KRf4yQlA=
X-Received: by 2002:a6b:dd01:: with SMTP id f1-v6mr42558794ioc.45.1534874393199; Tue, 21 Aug 2018 10:59:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 10:59:12 -0700 (PDT)
In-Reply-To: <CA+nkc8CnZB6-0+xqEcU93fFTPHDyMjfNKzj8oMG7OB9sZfbAzA@mail.gmail.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com> <FBE862C5-6999-4D2F-A877-4ACDF1F5FBF1@virtualized.org> <CA+nkc8CnZB6-0+xqEcU93fFTPHDyMjfNKzj8oMG7OB9sZfbAzA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 21 Aug 2018 13:59:12 -0400
Message-ID: <CAPt1N1=Ot11V8rUtKU64SLqhf5KZA0cpU=Xy1mSO6D8zj3OzEg@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Cc: David Conrad <drc@virtualized.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb5d910573f5caf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/egCk5jUcnxGyayYWulpdESXrb3c>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 18:00:09 -0000

This is one of the problems with security.   It always comes with
tradeoffs, and it always looks different depending on your perspective.
 In fact, though, the people who are currently providing DoH service
actually have much greater visibility into the malware problem than you
possibly can.   This doesn't mean that it doesn't suck for you to not be
able to collect the data, because at a university you presumably want to be
able to do research on the data.   But that's one of the tensions here.
 The answer to the observation "security requires us to make unpalatable
tradeoffs" is not "don't do security."

On Tue, Aug 21, 2018 at 1:52 PM, Bob Harold <rharolde@umich.edu> wrote:

>
> On Tue, Aug 21, 2018 at 1:37 PM David Conrad <drc@virtualized.org> wrote:
>
>> Vittorio,
>>
>> On Aug 21, 2018, at 3:33 AM, Vittorio Bertola <vittorio.bertola@open-
>> xchange.com> wrote:
>>
>> If so, I can accept your use case: a smart user, knowing what he is
>> doing, does not want anyone else to sanitize his queries for him. But I
>> don't see why the best solution to your use case - which is quite a
>> minority case, though easily overrepresented in a technical environment -
>> is to build a sort of "nuclear bomb" protocol that, if widely adopted, will
>> destroy most of the existing practices in the DNS "ecosystem" (I'm using
>> the word that was being used at ICANN's DNS Symposium in Montreal),
>> including the basic security measures that protect the 99.9% of the users
>> who are not technically smart.
>>
>>
>> Perhaps I’m misunderstanding: are you saying the folks who provide
>> resolution services in a DoH world would have incentive to not follow basic
>> security measures?
>>
>> Regards,
>> -drc
>>
>
> At my university, our security group watches DNS rpz logs and DNS traffic
> logs for signs of malware, and takes action.  In a DoH world, I cannot
> imagine every third-party DoH provider giving our security group that
> information.  They will follow their own security measures, but will still
> affect ours because we lose visibility.
>
> --
> Bob Harold
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>