[Doh] Clarification re: "Opportunistic DNS"
Adam Roach <adam@nostrum.com> Tue, 27 March 2018 20:45 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D46B12E8A8 for <doh@ietfa.amsl.com>; Tue, 27 Mar 2018 13:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5_JyieBI40m for <doh@ietfa.amsl.com>; Tue, 27 Mar 2018 13:45:55 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16C2312E04D for <doh@ietf.org>; Tue, 27 Mar 2018 13:45:55 -0700 (PDT)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w2RKjrwH071044 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <doh@ietf.org>; Tue, 27 Mar 2018 15:45:54 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
From: Adam Roach <adam@nostrum.com>
To: "doh@ietf.org" <doh@ietf.org>
Message-ID: <1a24d4e7-5465-975b-e3c6-3752fb57c779@nostrum.com>
Date: Tue, 27 Mar 2018 15:45:48 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/EYiQEhL9BPbSHr4vQXL8kiMl5Zg>
Subject: [Doh] Clarification re: "Opportunistic DNS"
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 20:46:03 -0000
I'm posting this in my role as AD, to get information that might help us figure out next steps regarding the "Opportunistic DNS" [1] work that was discussed in London. Note that the "Opportunistic DNS" work remains out of scope for DOH: I'm posting here because this list has the correct community of interest. During last week's discussion in DOH regarding techniques for proactively pushing DNS records to endpoints [2], there were several comments at the microphone that make me think there are important and subtle issues that were not completely obvious. Specifically: while the slides and proponent were careful to talk about DNSSEC, TLS certificate validation, and "additional validation checks" for received information, there were at least two independent comments at the microphone that expressed concerns about cache poisoning. There were also multiple comments (one at the mic, one after the meeting) expressing concerns that DNSSEC doesn't provide the right kind of assurances necessary to validate records received from untrusted sources. If the DNS experts on this list could expand on the concerns about poisoning in the context of DNSSEC, it would be greatly appreciated. Feel free to reply directly to me, or on-list. Thanks! /a ___ [1] I'm carefully using quotation marks here to indicate what it was called in the meeting, with the explicit recognition that this name is considered problematic by some. [2] Presentation at https://datatracker.ietf.org/meeting/101/materials/slides-101-doh-opportunistic-dns-00
- [Doh] Clarification re: "Opportunistic DNS" Adam Roach
- Re: [Doh] Clarification re: "Opportunistic DNS" Ben Schwartz
- [Doh] Clarification re: "Opportunistic DNS" Dave Lawrence