Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <dougb@dougbarton.us> Tue, 21 August 2018 04:52 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E737130DF6 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 21:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j0QbjvNLyWX for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 21:52:41 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF6CC130DD9 for <dnsop@ietf.org>; Mon, 20 Aug 2018 21:52:40 -0700 (PDT)
Received: from [192.168.10.247] (71-9-84-238.dhcp.snbr.ca.charter.com [71.9.84.238]) by dougbarton.us (Postfix) with ESMTPSA id 6688979C for <dnsop@ietf.org>; Mon, 20 Aug 2018 21:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1534827160; bh=IC7yyV4FBGe+5B6fM3usGsvGJtIUXA5U/YjvbBg45VA=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Qy3bcUIqy5WCh4y9PUGZ5R1BSieNCqOiCH2U4PIlxkSAl7HlP0Q1rvxKphk8vwoGE CsWYXzDtybSdS76vRlhi9oxSLRggR66XkFUJmIyPRKRBTR4sYtXg7u+07e89FEQDuS /h69MN1+QoPfiffGtZ+RUXIqchBy6Iav1NyQqou4=
To: dnsop@ietf.org
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <20180821014030.C2678AD6354@fafnir.remote.dragon.net> <E3916046-4A74-43D8-AEAE-3C539E98D706@pch.net>
From: Doug Barton <dougb@dougbarton.us>
Message-ID: <c5f1485d-734c-6f08-5dd2-439132f21a48@dougbarton.us>
Date: Mon, 20 Aug 2018 21:52:39 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <E3916046-4A74-43D8-AEAE-3C539E98D706@pch.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/exqgzxKwPTRbeQssCNBx8P6TVXw>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 04:52:42 -0000

On 08/20/2018 09:22 PM, Bill Woodcock wrote:
> 
> 
>> On Aug 20, 2018, at 6:40 PM, Paul Ebersman <list-dnsop@dragon.net> wrote:
>>
>>> pusateri> There was general
>>> pusateri> agreement in the room that you only should use DHCP in IPv4
>>> pusateri> for address/router info and then use trusted sources for
>>> pusateri> everything else. In IPv6, SLAAC generally provides this.
>>>
>> That may be the consensus at the IETF but it's not even close the
>> consensus with ISPs, nor large enterprise. That seems to cover most of
>> the eyeball/consumer... DHCP is still how much of the world gets
>> connected and that hasn't changed in decades.
>> DHCP is how hotspots, ISPs and enterprise work.
> 
> My experience corroborates Paul’s observation.
> 
>> Saying this is all broken and that we need to protect the world from
>> themselves by not having a DHCP option simply means that vendors will
>> have a slew of non-standard ways of doing it and we've helped noone.
> 
> …and I agree with his conclusion.
> 
>                                  -Bill

+1, FWIW