Re: [Doh] Clarification re: "Opportunistic DNS"
Ben Schwartz <bemasc@google.com> Tue, 27 March 2018 22:54 UTC
Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38258126CB6 for <doh@ietfa.amsl.com>; Tue, 27 Mar 2018 15:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPq3GZRzF5K1 for <doh@ietfa.amsl.com>; Tue, 27 Mar 2018 15:54:19 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B998B1200C1 for <doh@ietf.org>; Tue, 27 Mar 2018 15:54:19 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id y20-v6so1218909itc.5 for <doh@ietf.org>; Tue, 27 Mar 2018 15:54:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cLrXzfnZXeyuPf798qXqJ7fRiJlpLbSAd1sFSpX6W0Y=; b=Tmfb9dQpeviyK19fMPDQLQHNQuJsBlJKNSVROuIQXZZdT5FN4vUpxlsygHN8J7zceQ lTJViqTZc+RQa+QeWzCiw/NuaSOgbDWoLuXLgqD8GpqwoMA071+bvVG9nDSP7Nxc90jI OAkgK5WbQWpxW2g6iC+yN5Tpz/D2hMd3mXk8k/O2UMyvBbyckXAXAK0Z0Chpb1ryjm3P SZMAsSsvLW0g9kaXa1a+CcKyeE2v1ZA/OPTt8EZRwzasYLjDQlbwE6uzH9k3ZZlCA+uD 2IRroIk8fuLSFhihnkvxplYGh1czIgqrLqGtd67uxBd79eoSjfwb4TfOvCYInauP4vFO OngA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cLrXzfnZXeyuPf798qXqJ7fRiJlpLbSAd1sFSpX6W0Y=; b=rlrvpgphyXcPu5qHjUP0ecGv5Y1gHFPqFyaJAz5BWPp0WRClIAXWS3fpNS5ZTA1yN/ 8KS7jhnakpY4YmQeYbUxguqTkLwBNj84KT99jdyZZO6LZs4jlq4gDrJAz9CmGfeuIONF c/m77No4cWYZpHEP0zz89Vv6vJCoNPAeeE/rDLcjSNPaxfZ6zJot0TG8kdT4Eyiwsm7o XeqsIwFi2hQCwE8E8j4KCrnp7zqzYz1lJGk+paGLmrnGouG/kCzYkOXWSrD4tp9J2P6L hxmwDTfRJqa54/Opzjxp74dkOkqLa5c3rM1By7CEdF6HStP45oNBri0JBEBgcFZUZZxs XgOg==
X-Gm-Message-State: ALQs6tAgmCoJHy2FD50wfqG9R8osE6zVgZwQhdfYksROkGFzKirohl8b WZU9ADFmmS6W7YIf22sVav9vXwMDah62VrJX/Knsn8IV
X-Google-Smtp-Source: AIpwx48JptgVfhwzQgBKfZw58Hmw512ydgvhWWZG+QPIGbwsw7tjImMTpLG/OA+FzKDOZ294Q4/C6Pn/vwTRxaIsBiA=
X-Received: by 2002:a24:3715:: with SMTP id r21-v6mr1178602itr.110.1522191258649; Tue, 27 Mar 2018 15:54:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.168.210 with HTTP; Tue, 27 Mar 2018 15:54:18 -0700 (PDT)
In-Reply-To: <1a24d4e7-5465-975b-e3c6-3752fb57c779@nostrum.com>
References: <1a24d4e7-5465-975b-e3c6-3752fb57c779@nostrum.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 27 Mar 2018 18:54:18 -0400
Message-ID: <CAHbrMsBNG1DMT8esEpN22OEHE968cMWTK56KaMPTrsWYG=4f7w@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: "doh@ietf.org" <doh@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000004a5c1205686cc50f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/EQ-Ci8Y1sMZtmKiC2Km-5VIq9cI>
Subject: Re: [Doh] Clarification re: "Opportunistic DNS"
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 22:54:22 -0000
I'm not a DNS expert, but I've had a lot of time to think about this. To me, in the context of the web, the most interesting concerns are about scoping and lifetime. For example, as a web server operator, if I can populate a user's DNS cache with some distinctive (but valid, signed) DNS records, then perhaps I can follow that user across the web, effectively "marking" their traffic until the RRSIGs expire. I think we can remove this problem by scoping opportunistic records to the client IP address that received them, so their use doesn't link two client IP addresses. (This resembles QUIC's issues with connection IDs.) There's also a similar problem related to same-origin user tracking. I think that will require us to treat opportunistic DNS records like cookies, and to clear them in similar situations. Another concern is related to bad server selection. Could a rogue actor use an ad network to push suboptimal records to millions of users, breaking a target site's load balancing? I'm less concerned about this, especially thanks to redirection tools like Alt-Svc, but it is worth some careful attention. On Tue, Mar 27, 2018 at 4:45 PM, Adam Roach <adam@nostrum.com> wrote: > I'm posting this in my role as AD, to get information that might help us > figure out next steps regarding the "Opportunistic DNS" [1] work that was > discussed in London. Note that the "Opportunistic DNS" work remains out of > scope for DOH: I'm posting here because this list has the correct community > of interest. > > During last week's discussion in DOH regarding techniques for proactively > pushing DNS records to endpoints [2], there were several comments at the > microphone that make me think there are important and subtle issues that > were not completely obvious. > > Specifically: while the slides and proponent were careful to talk about > DNSSEC, TLS certificate validation, and "additional validation checks" for > received information, there were at least two independent comments at the > microphone that expressed concerns about cache poisoning. There were also > multiple comments (one at the mic, one after the meeting) expressing > concerns that DNSSEC doesn't provide the right kind of assurances necessary > to validate records received from untrusted sources. > > If the DNS experts on this list could expand on the concerns about > poisoning in the context of DNSSEC, it would be greatly appreciated. Feel > free to reply directly to me, or on-list. > > Thanks! > > /a > > ___ > [1] I'm carefully using quotation marks here to indicate what it was > called in the meeting, with the explicit recognition that this name is > considered problematic by some. > > [2] Presentation at https://datatracker.ietf.org/m > eeting/101/materials/slides-101-doh-opportunistic-dns-00 > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- [Doh] Clarification re: "Opportunistic DNS" Adam Roach
- Re: [Doh] Clarification re: "Opportunistic DNS" Ben Schwartz
- [Doh] Clarification re: "Opportunistic DNS" Dave Lawrence