Re: [Doh] Maybe moving draft-ietf-doh-resolver-associated-doh to draft-sah-resolver-information

dagon <dagon@sudo.sh> Thu, 23 May 2019 15:23 UTC

Return-Path: <dagon@sudo.sh>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35EB31201D9 for <doh@ietfa.amsl.com>; Thu, 23 May 2019 08:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSJiQ-HyW_Ru for <doh@ietfa.amsl.com>; Thu, 23 May 2019 08:23:33 -0700 (PDT)
Received: from sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id 9B926120179 for <doh@ietf.org>; Thu, 23 May 2019 08:23:32 -0700 (PDT)
Received: by sudo.sh (Postfix, from userid 1000) id D7F47270895; Thu, 23 May 2019 15:23:29 +0000 (UTC)
Date: Thu, 23 May 2019 15:23:29 +0000
From: dagon <dagon@sudo.sh>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: doh WG <doh@ietf.org>
Message-ID: <20190523152329.GB16799@sudo.sh>
References: <21EA7A61-2E10-431E-871F-CCE89728836F@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <21EA7A61-2E10-431E-871F-CCE89728836F@icann.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/AHuIA7OobPwELtvORL-6EAYuTL0>
Subject: Re: [Doh] Maybe moving draft-ietf-doh-resolver-associated-doh to draft-sah-resolver-information
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 15:23:49 -0000

On Wed, May 22, 2019 at 10:49:45PM +0000, Paul Hoffman wrote:

> Greetings again. For those in the DOH WG who are not also in the
> DNSOP WG, you may not have seen that Puneet Sood, Roy Arends and I
> have new drafts that would replace
> draft-ietf-doh-resolver-associated-doh. During IETF 104, and on this
> list, people asked why the mechanisms in
> draft-ietf-doh-resolver-associated-doh were only for DoH. In
> response, we created draft-sah-resolver-information and
> draft-sah-resinfo-doh. The former is a general way of asking
> resolvers for information about them; the latter is the definition
> of the DoH-related information.

One comment on draft-sah-resinfo-doh:

Compare the use of a new RRType, ${SUDN}.arpa/IN/RESINFO, which yields
a structured set of I-JSON fields, to a simple ${SUDN}.arpa/IN/A
approach, with merely returns a record pointing to an appropriate
server with resolver policy statements, perhaps on a web site or yaml
("This recursive blocks malware and ads, and per corporate policy all
resolution must be local. Resolve elsewhere at your professional
peril.  This is an M&A audit requirement."), and/or other meta data
useful to the stub's DNS path choices.

There are many advantages to RESINFO beyond well structured data,
including identifying/addressing stray ${SUDN}.arpa queries seen just
above-the-recursive by local operators (REFUSED, etc?).  And the
networks who wish to block DOH will likely trigger on
${SUDN}.arpa/IN/RESINFO?  queries, for captive portal education,
whereas triggering on SUDN IN/A? for DOH identification would have too
many false positives induced by DNS prefetching.  (Aside: This was yet
another global DNS accommodation for browsers, btw.)

Although IN/RESINFO is the correct approach, compared to IN/A, I've
been recently alerted to one potential draw back to a new RRType: some
of the meta data one hopes to expose (e.g., filtration policy) might
be easier to add or edit out-of-zone.

That is, the simple ${SUDN}.arpa/IN/A approach points to a web site,
which any summer intern in the legal department can edit (after the
DNS operators add their rrset and close the ticket).  In contrast,
${SUDN}.arpa/IN/RESINFO seems to inhere more extensive, or ongoing +w
access to a recursive config, with potentially significant impacts for
DOH users in the case of accidents.  This is fine for just DOH URI
fields, which don't change often.  But other data, not generated by
the DNS operator teams, will prove less agile.

Without existing appliance support for editing (and not merely rfc3597
sane passing) of a novel RRType, adoption might be slow, since the DNS
operators in organizations become entrained in the output of other
groups.  Many organizations affected by DOH (e.g., banks, mid-sized
and larger corps, ISPs) already have clear delineations in groups
around security, DNS, network operations, customer care, policy and
public statements.  Since draft-sah-resolver-information is designed
to have more than just DOH URIs (and potentially could include policy
details relevant to DOH pathing decisions), this seems important.

Had I realized this years ago, IN/RESINFO still would be the obvious
choice compared to IN/A, since well structured fields encourage app
developers to poll ${SUDN}.arpa for discrete information.  But the
existing DOH deployment suggests speeding RESINFO uptake/adoption.
Perhaps also supporting IN/A discovery of DNS filtration policy data
could be useful.

DNS appliance vendors would support IN/RESINFO of course, some quickly,
some eventually.  But IN/A could be done today on existing installs.
Perhaps a billion+ people have DOH available (currently off), and some
are using it to start small office fires.  Exposing LAN policy to the
apps quickly would help.  And it would discipline the anti-malware DNS
filtration industry around transparency-to-the-stub.  (We can expect
other DNS-abusive censors to continue to provide few or misleading
details, which the browsers might well ignore as likely L8 imposed
firewalls.)

>  Both Google and Mozilla have said here that they look forward to a
> way to find the DoH server associated with a user's resolver, so we
> hope that the work can move forward at a reasonable pace. However,
> if people in this WG think we're doing it wrong by having a general
> mechanism for querying resolvers, please speak up here.

Since users are already turning on DOH, there's urgency in exposing
network policy information to apps.  Not just the DOH URI, but the
imperative some networks see in DNS anti-malware filtering, as they
now shop for PACs/TLS interception solutions, post-DOH.

If you're revising draft-sah-resolver-information, could it support
both A and RESINFO?  (The former for rapid uptake/captive portal use
and avoiding portal triggering, the latter for standardized app
integration, once DNS appliances support federated editing.)  Or
anything just short of overloading TXT records once again?
Cf. https://www.cafepress.com/nxdomain/8592477

Or have I missed something making IN/RESINFO the exclusive solution
and not merely superior to IN/A?

I do like the general compass direction of
draft-sah-resolver-information: telling users about recursive DNS
settings and policy is wonderful.  This informs user consent and
alternative resolution path choices.  My thanks to the authors
for drafting their solution.

-- 
David Dagon
dagon@sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717