Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <paul@redbarn.org> Sun, 19 August 2018 01:21 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 920A3130DD1 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 18:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxWc_4Q5Y7eC for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 18:21:28 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5742A130DCF for <dnsop@ietf.org>; Sat, 18 Aug 2018 18:21:28 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 106B9892C7; Sun, 19 Aug 2018 01:21:28 +0000 (UTC)
Message-ID: <5B78C60E.4010307@redbarn.org>
Date: Sat, 18 Aug 2018 18:21:18 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ted Lemon <mellon@fugue.com>
CC: =?windows-1252?Q?Marek_Vavru=9Aa?= <mvavrusa@cloudflare.com>, dnsop <dnsop@ietf.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com>
In-Reply-To: <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yWUK7yEvPLg28e-ir68_lMwBOh8>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 01:21:29 -0000


Ted Lemon wrote:
> The thing is that most devices don't connect to just one network.   So
> while your devices on your network can certainly trust port 853 on your
> network, when they roam to other networks, they have no reason to trust
> it.

that's far afield of my stated use-case.

if i receive advice and pre-shared key, concerning tcp/853, from my dhcp 
server, the tcp/853 service i'm advised to use may not be on my own 
network, it could be part of my corporate VPN, or an anycasted 
commercial service, or almost anywhere else.

in that case, my DHCP transaction was local, and my resulting TCP/853 
transactions won't be local. and in that case i will have a greater 
reason to trust the pre-shared key and the TCP/853 advice because of 
where i received it, than i would have reason to trust privacy or 
integrity of the path to a UDP/53 + TCP/53 ("traditional DNS") server.

roaming is another matter, because in those cases, i'll speak DHCP to 
some new network provider, and will receive some advice concerning an 
RDNS service from that new DHCP transaction, which will obviate any 
previous advice, or whether i took that advice, or how trustworthy that 
advice turned out to be.

> ... If you have devices that never roam to other networks, that's
> fine, but we have to design for the more general case.   There's no way
> with DHCP for the device to tell that it's connected to a particular
> network, other than matching IP addresses, which isn't a great idea.

if i'm not roaming, i won't receive RDNS advice from the other DHCP 
servers that i never come into contact with. this seems a non-sequitur.

if i am roaming, then anyone who hands me an address via DHCP should 
feel free to advise me as to what DNS service i use, including a TCP/853 
service for which a pre-shared key may be needed. because the network 
operator may forbid and prevent the use of other DNS services which i 
may prefer, it would be wise for me to listen to that advice, and 
consider following it, especially if my usual service can't be reached 
while operating on said network.

roaming is off-topic. DHCP authentication and integrity is off-topic. 
this is a simple proposal to allow a network operator to include TCP/853 
("DoT") advice including pre-shared keys in their DHCP responses. it 
ought to be drama-free.

-- 
P Vixie