Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <paul@redbarn.org> Tue, 21 August 2018 02:43 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99632130E02 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:43:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHmKM-WVxUm6 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:43:57 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CA96130DF6 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:43:57 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d] (unknown [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 27209892C6; Tue, 21 Aug 2018 02:43:57 +0000 (UTC)
Message-ID: <5B7B7C6B.8070909@redbarn.org>
Date: Mon, 20 Aug 2018 19:43:55 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Tom Pusateri <pusateri@bangj.com>
CC: Paul Ebersman <list-dnsop@dragon.net>, dnsop <dnsop@ietf.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <20180821014030.C2678AD6354@fafnir.remote.dragon.net> <922DCF48-BA8A-42B8-99BA-2B367D981568@bangj.com> <5B7B7718.7090301@redbarn.org> <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com>
In-Reply-To: <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z-QXsMuLd8S_nTkNWwMiG0XldvI>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 02:43:59 -0000


Tom Pusateri wrote:
>
>> On Aug 20, 2018, at 10:21 PM, Paul Vixie<paul@redbarn.org>  wrote:
>> if DOH is widely used by criminals, botnets, and malware to bypass
>> perimeter security policy, then there will be a big problem and we
>> will be solving it for many years to come, even if the browser is
>> the only thing using it. browsers are where most modern vulns have
>> occurred, and i expect that trend to accelerate. "because that's
>> where the money was.”
>
> I can see good use cases and bad ones.

all power tools can kill.

> If web servers did DNSSEC validation and only served addresses for
> names that were validated, I wouldn’t have a problem with that at
> all.
>
> If web servers only served addresses for names within the domain of
> the web server, I wouldn’t have a problem with that either.
>
> if they start serving non DNSSEC validated addresses for names
> outside their domain, I think they’re overreaching.

DOH's use will be indiscriminate, and will reach DNS servers who have 
web protocol front ends, who will offer full-spectrum RDNS. there will 
be no binding or relation at all between the web content servers and the 
DNS content servers who happen to use web protocols. so, please worry.

-- 
P Vixie