IETF Logo Mail Archive

Re: [DNSOP] SIG(0) useful (and used?)

Warren Kumari <warren@kumari.net> Thu, 21 June 2018 13:55 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC565130DDD for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 06:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h_pTYqQPpNI for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 06:55:41 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6BD1130E3B for <dnsop@ietf.org>; Thu, 21 Jun 2018 06:55:40 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id 69-v6so6280917wmf.3 for <dnsop@ietf.org>; Thu, 21 Jun 2018 06:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AaoXU0vrXlYLj41MmWTxWrNCD8r8TLidnpsczWC/L54=; b=0aXvLp2X8FQgYyYpwcMEAxHG3maGWoABDa2XEUTpex1hDo9pnKP7/OR7xwFfUK0MC0 FQi4iwO7gcs+uRrqBzK/wiSz+JuaJ9y0yGTInWEiED9QPDq5OzUKKZltthFAhHcO0fp9 0iFZLMN9O5YFhbPG6iJjQCFOc1BSU5BoUN4RDUhxaBME1BgMBBuzaU90ARItgrkIjLVJ GKYuX+KxQH12WYXiAkA68TT1lW4JWm7bXjzjYIyguivGLd5AC7P0nipFpoNyYojTyaQy TM4RnB17UCFCBU1X0atG1zGtS9NKYtiRf0XU5T8sLh/uxKcO33mjDiJ6iyNWIm9swEyH 9ZeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AaoXU0vrXlYLj41MmWTxWrNCD8r8TLidnpsczWC/L54=; b=iZf4LXBvm/J9kC9RnC4zXpY6ZcuaNN685r9tyn3ZTiiQvrtq7QZyJX6pDOpG1EE5Wi 7e13a9U2Rtk9QVK+HcWag9EQ5tDmVZ+5+qdqmO+Ve6B7iX406/mvs6PaCmRVJDzglIfp JE6r48dAEL/Ewmq/jxmTzuKpvHIyNy+7lMZszCZJi1PlFmetUzR0Dn1XkSkkAZYD48Uv ykW1gALtNQ6IehxeKR06mNMrSTyyZf9H1zZaFYjLXw/Yyegv0lfvHelfagtYfOnPrU1d C7DTCqBNjQrNmG2207Tljt+tKRGrveU49sW8X+9BVnosjRCGeXKJqWwbBKVpCSMWFl/H xMeg==
X-Gm-Message-State: APt69E2LvNYxQh8NmRAcyxNO/1Eo6p+yB0tha5zi2B7y6xukrZTYsZyM S2v2IfGUJX/iV500yWBZAUYEyDIrPM6NQ6n0k5X/fg==
X-Google-Smtp-Source: ADUXVKLGuF2c05nQ9waZumHopwQpy2qnfPG1CKs37yZL0GX0Ifapr6cUC9aCRoHDPJAOWw+F0zkGP1LctBPb+iOOPpE=
X-Received: by 2002:a1c:d70c:: with SMTP id o12-v6mr4858114wmg.71.1529589338976; Thu, 21 Jun 2018 06:55:38 -0700 (PDT)
MIME-Version: 1.0
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <alpine.DEB.2.11.1806192154190.916@grey.csi.cam.ac.uk> <CAHw9_i+KWdEQEyXE3AVKChrnYWOvhdm5uAZHpaz+tATyh0EmJA@mail.gmail.com> <CAJhMdTNqSq9fVpf6MrkJqsghKB40MP3BUBfq7xcGZ6_9W72Ggg@mail.gmail.com> <CAHPuVdVtGKjTpAu3ySi_C=Am+7pE-OX_e3M+T1+WGH0AL20oMQ@mail.gmail.com> <CAJhMdTOX5GfhkhFyRyWN6F-3B4D+pU7NOOewhM9SHdSSjy6uMQ@mail.gmail.com>
In-Reply-To: <CAJhMdTOX5GfhkhFyRyWN6F-3B4D+pU7NOOewhM9SHdSSjy6uMQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 21 Jun 2018 09:55:01 -0400
Message-ID: <CAHw9_iJo94iGt87X+fWPcHAFRtxcvrsw3VOKT412smdxfFTEOA@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Shumon Huque <shuque@gmail.com>, Tony Finch <dot@dotat.at>, Ondřej Surý <ondrej@isc.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000033c91e056f2745cc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kX_MJDOPEklJ4k6Zt3EbgiW4TNQ>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 13:55:44 -0000

On Thu, Jun 21, 2018 at 4:52 AM Joe Abley <jabley@hopcount.ca> wrote:

> On Jun 20, 2018, at 21:05, Shumon Huque <shuque@gmail.com> wrote:
>
>
> On Wed, Jun 20, 2018 at 7:30 PM Joe Abley <jabley@hopcount.ca> wrote:
>
>> On Jun 20, 2018, at 19:07, Warren Kumari <warren@kumari.net> wrote:
>>
>> ​... what I'd alway wanted[0] was to be able to setup my own recursive
>> name server somewhere on the Internet, and then only allow myself (and a
>> few of my closest friends) to be able to query it.
>>
>> For this particular use-case, why is SIG(0) better than TSIG?
>>
>
> Either might be fine in these small user scenarios.
>
>
> Yes, I know, hence the question. Warren usually has his reasons :-)
>

​Yes, but these are often related to "because it amused me or seemed like a
good idea at the time", and so it is always worth checking :-)

I was wanting to be able to provide this on the order of 50 - 100 devices.
This includes all my devices, including laptops, phones, tablets, travel
routers, kindle, and all of my wife's devices (similar set), and my aunty
Sue's devices. Ideally this would also be usable for something like a small
enterprise (without having a full VPN). Managing TSIG keys for all those
seems tricky.

I don't actually think that TSIG would do what I want either -- technically
it could, but I think that what is missing is the ability to easily
configure keying information in /etc/resolv.conf (or other stub config).
Ideally I'd like to add something to resolve.conf (or similar) saying:
nameserver 192.0.2.53 key 0xbadc0ffee

I think that 95% of the issue is on the stub side.

Paul's https://github.com/BII-Lab/DNSoverHTTP and Stubby both come fairly
close to solving this. The more I think about it, DPRIVE and DoH are
driving towards what I want.


> The follow-on question was why he needs this functionality in the stub
> resolver rather than running a local copy of BIND9 (bound to localhost,
> configured appropriately) and pointing his stub resolver at that.
>

A couple of reasons:
1: I'd like to be able to take advantage of a shared cache
2: I'd like to be able to use this for my {mac,  androids,  iPhone / iPads,
linux laptops}, my wife's {mac, iPhone / iPads, linux laptops}, travel
router, kindle, etc.
Apart from the fact that I cannot run BIND / Unbound on many of these
devices, keeping this many full nameservers watered and fed would be
annoying.


​W​



>
>
> Joe
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email