Re: [Doh] Maybe moving draft-ietf-doh-resolver-associated-doh to draft-sah-resolver-information
dagon <dagon@sudo.sh> Thu, 23 May 2019 15:23 UTC
Return-Path: <dagon@sudo.sh>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35EB31201D9 for <doh@ietfa.amsl.com>; Thu, 23 May 2019 08:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSJiQ-HyW_Ru for <doh@ietfa.amsl.com>; Thu, 23 May 2019 08:23:33 -0700 (PDT)
Received: from sudo.sh (hexakaideca.sudo.sh [198.177.251.74]) by ietfa.amsl.com (Postfix) with ESMTP id 9B926120179 for <doh@ietf.org>; Thu, 23 May 2019 08:23:32 -0700 (PDT)
Received: by sudo.sh (Postfix, from userid 1000) id D7F47270895; Thu, 23 May 2019 15:23:29 +0000 (UTC)
Date: Thu, 23 May 2019 15:23:29 +0000
From: dagon <dagon@sudo.sh>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: doh WG <doh@ietf.org>
Message-ID: <20190523152329.GB16799@sudo.sh>
References: <21EA7A61-2E10-431E-871F-CCE89728836F@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <21EA7A61-2E10-431E-871F-CCE89728836F@icann.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/AHuIA7OobPwELtvORL-6EAYuTL0>
Subject: Re: [Doh] Maybe moving draft-ietf-doh-resolver-associated-doh to draft-sah-resolver-information
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 15:23:49 -0000
On Wed, May 22, 2019 at 10:49:45PM +0000, Paul Hoffman wrote: > Greetings again. For those in the DOH WG who are not also in the > DNSOP WG, you may not have seen that Puneet Sood, Roy Arends and I > have new drafts that would replace > draft-ietf-doh-resolver-associated-doh. During IETF 104, and on this > list, people asked why the mechanisms in > draft-ietf-doh-resolver-associated-doh were only for DoH. In > response, we created draft-sah-resolver-information and > draft-sah-resinfo-doh. The former is a general way of asking > resolvers for information about them; the latter is the definition > of the DoH-related information. One comment on draft-sah-resinfo-doh: Compare the use of a new RRType, ${SUDN}.arpa/IN/RESINFO, which yields a structured set of I-JSON fields, to a simple ${SUDN}.arpa/IN/A approach, with merely returns a record pointing to an appropriate server with resolver policy statements, perhaps on a web site or yaml ("This recursive blocks malware and ads, and per corporate policy all resolution must be local. Resolve elsewhere at your professional peril. This is an M&A audit requirement."), and/or other meta data useful to the stub's DNS path choices. There are many advantages to RESINFO beyond well structured data, including identifying/addressing stray ${SUDN}.arpa queries seen just above-the-recursive by local operators (REFUSED, etc?). And the networks who wish to block DOH will likely trigger on ${SUDN}.arpa/IN/RESINFO? queries, for captive portal education, whereas triggering on SUDN IN/A? for DOH identification would have too many false positives induced by DNS prefetching. (Aside: This was yet another global DNS accommodation for browsers, btw.) Although IN/RESINFO is the correct approach, compared to IN/A, I've been recently alerted to one potential draw back to a new RRType: some of the meta data one hopes to expose (e.g., filtration policy) might be easier to add or edit out-of-zone. That is, the simple ${SUDN}.arpa/IN/A approach points to a web site, which any summer intern in the legal department can edit (after the DNS operators add their rrset and close the ticket). In contrast, ${SUDN}.arpa/IN/RESINFO seems to inhere more extensive, or ongoing +w access to a recursive config, with potentially significant impacts for DOH users in the case of accidents. This is fine for just DOH URI fields, which don't change often. But other data, not generated by the DNS operator teams, will prove less agile. Without existing appliance support for editing (and not merely rfc3597 sane passing) of a novel RRType, adoption might be slow, since the DNS operators in organizations become entrained in the output of other groups. Many organizations affected by DOH (e.g., banks, mid-sized and larger corps, ISPs) already have clear delineations in groups around security, DNS, network operations, customer care, policy and public statements. Since draft-sah-resolver-information is designed to have more than just DOH URIs (and potentially could include policy details relevant to DOH pathing decisions), this seems important. Had I realized this years ago, IN/RESINFO still would be the obvious choice compared to IN/A, since well structured fields encourage app developers to poll ${SUDN}.arpa for discrete information. But the existing DOH deployment suggests speeding RESINFO uptake/adoption. Perhaps also supporting IN/A discovery of DNS filtration policy data could be useful. DNS appliance vendors would support IN/RESINFO of course, some quickly, some eventually. But IN/A could be done today on existing installs. Perhaps a billion+ people have DOH available (currently off), and some are using it to start small office fires. Exposing LAN policy to the apps quickly would help. And it would discipline the anti-malware DNS filtration industry around transparency-to-the-stub. (We can expect other DNS-abusive censors to continue to provide few or misleading details, which the browsers might well ignore as likely L8 imposed firewalls.) > Both Google and Mozilla have said here that they look forward to a > way to find the DoH server associated with a user's resolver, so we > hope that the work can move forward at a reasonable pace. However, > if people in this WG think we're doing it wrong by having a general > mechanism for querying resolvers, please speak up here. Since users are already turning on DOH, there's urgency in exposing network policy information to apps. Not just the DOH URI, but the imperative some networks see in DNS anti-malware filtering, as they now shop for PACs/TLS interception solutions, post-DOH. If you're revising draft-sah-resolver-information, could it support both A and RESINFO? (The former for rapid uptake/captive portal use and avoiding portal triggering, the latter for standardized app integration, once DNS appliances support federated editing.) Or anything just short of overloading TXT records once again? Cf. https://www.cafepress.com/nxdomain/8592477 Or have I missed something making IN/RESINFO the exclusive solution and not merely superior to IN/A? I do like the general compass direction of draft-sah-resolver-information: telling users about recursive DNS settings and policy is wonderful. This informs user consent and alternative resolution path choices. My thanks to the authors for drafting their solution. -- David Dagon dagon@sudo.sh D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717