IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

Joe Abley <jabley@hopcount.ca> Mon, 05 August 2019 12:52 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46AC51201DD for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 05:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7DdMIlzJEyM for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 05:52:32 -0700 (PDT)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE2601201F1 for <dnsop@ietf.org>; Mon, 5 Aug 2019 05:52:32 -0700 (PDT)
Received: by mail-io1-xd43.google.com with SMTP id g20so167023489ioc.12 for <dnsop@ietf.org>; Mon, 05 Aug 2019 05:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=tbmNbGaumbqkLKuNNq31NaVl5a6qsFylqZxn3lKzsxQ=; b=l+mg9VkT/clEA57UjJRsAF4Zjkm1OrT6KdPo+cm0DW3uU9WTH0qQMxP5/cCisCqzLo Xo9mgIKBtiqMhdyLmyBIKTBPuf1Q5iJe092T4SGOkgudh3bh+zodSYqBh1Hbju74MyIL CHitAjf1Z7P6p3N+oN+bRbb5AKZR/UDvrBizs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=tbmNbGaumbqkLKuNNq31NaVl5a6qsFylqZxn3lKzsxQ=; b=QwkAG2WYvIWUQC1BdggoJwf3UBuhrgjoSuZv1JFX9W/mGjjac+PbMtmplKdguCqJap yJbLRyFqlgFJcDXSTf+IMFdwd4UPA3ra+gDaZoNcKairmJaol4YSA6yA1WdxYeBPGNNo TCuysuyJFeMaSvuqAfOt8SAvvWABx8PRadagL8wdRYHbxfsn0fEhvy5jpytF+I9uu9q1 0XB96oFynPE+s52aciPmWqKspPhRBoaIGEV8mCsAdhcAKgG3ZrOaMFr3KyJ91Pbo5Sv3 xQGrj+hKQFL0C5MFoU22OtdYfEcJqS8P8XgehFhxCy+wFBnemgVtyp25hRsC2vTYTUCd 8uGQ==
X-Gm-Message-State: APjAAAXvcbqT6jSe60z+MJHNALZG/UMmPTTV+nlHk8mmVrXk9nk+riZu vQkwUbYmtfJBuUIOEhS4PO8=
X-Google-Smtp-Source: APXvYqyLiOPAg+ov88+JJWZmfmlyJeolqcMNMWgIZ+QAcGISg2uzkZoFxXroFUaCZuOV9aNW16l7nQ==
X-Received: by 2002:a6b:c081:: with SMTP id q123mr63968272iof.210.1565009551214; Mon, 05 Aug 2019 05:52:31 -0700 (PDT)
Received: from [192.168.1.50] (24-246-23-138.cable.teksavvy.com. [24.246.23.138]) by smtp.gmail.com with ESMTPSA id n22sm126849648iob.37.2019.08.05.05.52.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Aug 2019 05:52:29 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <A2FB32FA-E67D-4418-9592-C282EF11676E@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_33D50CA2-FA91-4D9E-B751-E758932B1B4C"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 05 Aug 2019 08:52:28 -0400
In-Reply-To: <e783894a-90de-4dcf-94c9-dee90982a650@www.fastmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
To: Martin Thomson <mt@lowentropy.net>
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <93191ae0-39e9-4a0f-9750-b553292266bd@www.fastmail.com> <CDF505A0-09FE-41C6-A197-46C407BE1AFF@icann.org> <e783894a-90de-4dcf-94c9-dee90982a650@www.fastmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/joJPEHopE2adVizRwcTNhaeHW4Q>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 12:52:40 -0000

On 4 Aug 2019, at 21:00, Martin Thomson <mt@lowentropy.net> wrote:

> On Sun, Aug 4, 2019, at 00:37, Paul Hoffman wrote:
>>> I think that I might have said this before, but I don't think that asking an HTTP server about a DNS server is the right solution.
>> 
>> It is not "the" right solution, but it is one of them. That's why there
>> is also a DNS-based solution in the same document.
> 
> Let me be slightly more pointed then.  I think that documenting a solution that has one protocol speak for another would be a bad idea.  Even if there is a better way to do the same thing in a "better" way.

and

>>> The RESINFO RRtype seems OK, but I have less confidence in my ability to assess that aspect of this.  The only thing that bothers me is the potential for 1.0.0.10.in-addr.arpa and friends to leak and ruin the protocol for everyone.
>> 
>> Please say more here. Who do you think would be publishing at 10.0.0.1?
> 
> A good proportion of the resolvers I talk to operate from 1918 space, how else would they advertise this information?  I don't care if they are merely proxies, and nor should it matter if they are.
> 
> The fact that they are proxies means that my ISP is likely going to be the one fielding RESINFO queries for 10.0.0.1 and friends.

together also trigger discomfort for me. DNS and HTTP requests might generally follow the same gradient as far as network address translation goes (escaping to ever-shallower NAT domains) but it's worth remembering that the gateways between the layers are not always just gateways at the IP layer; some are ALGs. The addresses that services are reachable at can can change between layers, as (in general) do the addresses used for proxy requests in the case of ALGs.

I'm concerned about the cases where:

(a) the data enclosed within a RESINFO response includes embedded IP addresses that may not match the addresses that correspond to the resolver service as viewed from another addressing domain, and

(b) the potential for HTTPS and DNS ALGs to further confuse matters as the system generating the RESINFO response for one retrieval protocol might not be the same as for the other.

I realise it's tempting to imagine that HTTPS is not subject to explicit or implicit handling by ALGs; however, anecdotally at least, SSL-stripping (e.g. with jurisdiction-specific trust anchors installed on clients) is on the rise and not just in enterprise networks. I've also seen networks where traffic is routed by policy in different directions according to transport-layer addresses, e.g. for reasons of available capacity or latency.

So I echo the concern about having one protocol speaking for another. I haven't quite got my head around what I think about RESINFO in general but this particular aspect seems like a more general weakness that is worth highlighting.


Joe

v2.23.0 | Report a Bug | By Email