Re: [Doh] Talking to my resolver

nusenu <nusenu-lists@riseup.net> Sun, 17 March 2019 23:52 UTC

Return-Path: <nusenu-lists@riseup.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B454130EBC for <doh@ietfa.amsl.com>; Sun, 17 Mar 2019 16:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TB319s105s_F for <doh@ietfa.amsl.com>; Sun, 17 Mar 2019 16:52:32 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA69130EBA for <doh@ietf.org>; Sun, 17 Mar 2019 16:52:31 -0700 (PDT)
Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id E75D21A5618 for <doh@ietf.org>; Sun, 17 Mar 2019 16:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1552866751; bh=STkvk9BQ434D81XFGapegthITSqDnZFj9CMNDCDrZA0=; h=To:References:From:Subject:Date:In-Reply-To:From; b=ncshJY7fK8+CkOWcMUiTOBW1xcIp6k0CcKo6cmh19bmeC/UqWZ3UVMEbB/puKQECI M/IuYwfcosi977VAMpOSFvK2xMK2J7X5Ot0K6W9koQach8DwxLGJB5TNwEc1PqLp40 hsiSzC6QMpmr3lDMRn9OTmUqV3FuDRxlc2mfImHc=
X-Riseup-User-ID: 57FFB50DF0C79997FB5177B1D318A96F6C47AFE61B1E844E0CEF7F0FA16181DB
Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 2C5F8120C54 for <doh@ietf.org>; Sun, 17 Mar 2019 16:52:29 -0700 (PDT)
To: doh@ietf.org
References: <CAHbrMsCNyeabhk0sVexOHVedVkgG2dvV9T8wWL++om5juAUvEw@mail.gmail.com> <b3c252eb-f8de-42f7-bedd-ef23375b5325@www.fastmail.com>
From: nusenu <nusenu-lists@riseup.net>
Openpgp: preference=signencrypt
Autocrypt: addr=nusenu-lists@riseup.net; prefer-encrypt=mutual; keydata= xsFNBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABzSBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PsLBfQQTAQgAJwUCWPneBQIbAwUJBaOagAULCQgHAgYV CAkKCwIEFgIDAQIeAQIXgAAKCRCtYTjCRc1Cfq/kD/sHx+mnL6OLwJvBj1rVTyoHJYJARajz Go0yRlbrZSH6Z05OD3SDR9UVpWOZeY8JyFoTyCFQjAbIVjKifj0uSmi0j1iahrAgGGfik0cN XUkCxrW6jcJQ37EbvYWu4PryqLuC7IeQW1wCcB1ioyGYKkm2K6LZ9rzZPVYSmPohJ+gVI0Jt EdlNZl4JuZot9eA5w/22uvcStQHzXDsUxfqK8OAJpU8E3iBBdNpLPMDWpFz4g2yw5PD6jZ+K Q39PYMUFULaKe4YCw1O+0MFhZJI4KEcRYHuVy1b3cJjxzgVfEyFctLDsO1sh07vBhoVKUi8W e00pvGtv8QYxxMYIA3iACbsjGEr69GvvZ2pAnu9vT9OUCaES4riDCxbkMxK/Cbwk8F6mo0eq HDQ7sOZWQv81ncdG9ovlA7Pj96cEXgdtbbllF1aUZ8sAmT14YjGzhArGv7kyJ1imH5tX3OXk hBGA9JTk2mDNjEpFaTEajSvDiKyeEhWNTLm15siWkpg1124yjUkhQ3OCkw7aUDMiVn8+DQHo J2pP/84uUvngbhm1jV7nk8mxTUFgppUePkb5hhnRRzeK72QY00EwRdn7qnpNgijMJ3Fpjfy2 EeCEl3nNdcB7U0F+0ijA6P/+DROldxNr4eiP50RvV8XiW/yi2IkKBk50GNB87yYnDETxxx/c 2i00AM7BTQRY+d4FARAAwJZ6U7UT8uB1WCfLK3AOR1Wa9bzOAghlTR4WXbHB4ajQKG7/Fzud 99bnwD0V3/AOVz/SbGDyHe+7HMvd1A0Ll4NgyH6OpxY7wOwCXAYTAbcXLpM7eKTjjsb9A9XG 3FcIGvjcy76OkaewqhiABaShlStEYcPkRusHZuecXtCnfCjJKihU/kinWpBO9gY6SrF2KFCw aeS4r37brXQ9y8uy3gZ168QFuIa5AKfL0r5YN3k4StNSA2p5Z/pufWXMN3B03QC+3fireiz3 dinlHK6XjUW8oWSdNxJhexT/lUw+episNuWTQruy7PD+HeohYGXqjggmPUiWc171Sewb2f8H CHViHMee8QXqo/LSRkYVrtsx0HUSMKsVQOma/u2By03ucroIkQJQQfqX3YpK1i3EpUO2L0/m E8UpBvUm1vrst54EFym4tYNJTj9reVffFKh2cczmPVN5o8v3RrdTF96mGtcb9EJbGV4277ZE LqUspviEBXynqU3yZ48JhIWHj22/ha6TeBpapYZDOJ8lePed8E34J/GYE2YXl65LhpXAKvWz O3KiByGMysb9Li6zqZ9/BYQtg5CA6Q8Oo7pBxK4iiDH3GX2WvymmLoaOBpOaIYdvKr39fajE mzfbg7TdZKXxqp2KDrbw7vUJLDyrmPWpxHyhKHItzoi1Y59wzYSq3h0AEQEAAcLBZQQYAQgA DwUCWPneBQIbDAUJBaOagAAKCRCtYTjCRc1CfpfgEAC3tXZzhgKbF6fx5gMNDp/9MBpialvu k69UaGL3HUqM0/ytiT4FjYUmOK2mk37iop46GivsOC50PykG9gjbg9/QKUqgsZzJ8LJ+ldY4 /GKtiP5JoO59Obj8MJJ5Ta8yPfZiiNx/I8ydqd18E4PmQUCPlEKhett81t3+8R/mGwG72TaA hHwDjZAEjiXdnXh+z0AKpflCnYQafq0V73ofzuw4KovpJWMk/WPs5oSHhuV4TZ8nRkF6BR4y rEvs1kq8Y6DuNqQGwY3yilpnmqfMzzlWo7MlY657domU54bhGOsvNuZZsFDlcBczQo6h9OKq ckkVHUMAw38pX+EghzEfhYVWYmLNv5G9TA/M2s3frO3aN7ukNDq7CKIwfVz71/VfPaLQMY7/ jirzp9yIBZEi4E+PwP38FAGiD+nxzuUJv1rvxf6koqUGoHRvdppju2JLrC2nKW0La7RX7uZJ esCVkamT/XaXPROBTrZZqwbIXh2uSMzgXkC2mE1dsBf2rdsJ4y73+0DYq7YE52OV9MNoCYLH vpkapmD00svsP4sskRsrquPHkBBVCJa22lTaS8Oow9hGQe7BDjEhsVoPol889F0mbTRb3klv mGQ6/B/HA0pGWR9wISY8a7D40/qz6eE6+Yg22mtN1T8FFlNbyVmtBj0R/2HfJYhGBElLPefH jhF0TA==
Message-ID: <4de48a75-955d-89e3-7da3-4a1876edc53a@riseup.net>
Date: Sun, 17 Mar 2019 23:52:00 +0000
MIME-Version: 1.0
In-Reply-To: <b3c252eb-f8de-42f7-bedd-ef23375b5325@www.fastmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dvUV1NA6I0DyUyJU0Le6t54b8f1fEAHtO"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/NB_tRrs5LZL5dXH2P6HcMFGKGqY>
Subject: Re: [Doh] Talking to my resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 23:52:34 -0000

Martin Thomson wrote:
> It also fails to authenticate any of the information that is
> provided.  

The mechanism in chapter 2 (DoH Servers from HTTPS) is authenticated, right?
(but still vulnerable to downgrade attacks). If we ignore the fact that
the resolver IP has probably been configured over an unsafe protocol in the first place (DHCP).


> Arguably, none of this information can be authenticated
> given its origin, but the number of unauthenticated steps is
> typically limited, but here we have an additional exposure to
> attack.
> 
> It seems like the approach that has been taken with DoT is to try and
> see.  

Those that do (Android 9 for example) don't really authenticate 
the endpoint and use it opportunistically, right?

> But we're all sufficiently scared of HTTP servers that we don't
> feel like that is a responsible thing to do with DoH.  And - more
> reasonably - we realize that having a way to find alternative
> endpoints for a resolver is worth having.  But why not provide a
> mechanism that can do for DoT what this does for DoH? 

I'd like to see that happen as well but I assume that will not be on the DoH WG
since it is outside it's charter?

The idea I had in mind would be to have "DoT Servers from HTTPS"
like section 2 in this draft but without the unauthenticated options
in section 3 and 4.

 
> HTTP also has a convenient mechanism for doing exactly what this
> draft is attempting to do (almost, more later): find an alternative
> service endpoint for the current service, ideally one with better
> properties in some way.  RFC 7838 describes alternative services,
> which are implemented as a header field (here, an EDNS0 option seems
> like it might work).  In that design, a response from the resolver
> contains a list of alternative service endpoints, expressed as a
> tuple of name (and port) and endpoint type (using ALPN).  With some
> DNS-specific tweaks, I don't see why that would be a terrible
> approach here.

How would the DoH URI be authenticated in that case?


> I'd like to have a little more discussion of why we think that
> web sites might want to do their own DNS querying

+1

> FWIW, I'm now unclear on why the draft calls "browsers" out
> specially.  Browsers aren't really special in this context.  You
> might reasonably care about three levels of things: devices (or
> operating systems), applications, and web sites.  The distinction
> between each being decreasing levels of access to information about
> their operating environment.  Applications might not know about their
> DHCP configuration and web sites generally can't directly access a
> DNS resolver directly.

I brought this up as well and Paul mentioned he will address this in the
next version of the draft:
https://mailarchive.ietf.org/arch/msg/doh/bOL0JX0QA-y9qA2G88ngSDSzQAI


> p.s., Happy to talk about how IP address certificates will make this
> difficult to deploy, but let's try to hit the high points first.

It will require the resolver to be on a public IP but letsencrypt
might issue certificates for IP addresses in the future:

"Let’s Encrypt may offer IP address certificates in the future, but as of September 2018 we do not. "
https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082

https://datatracker.ietf.org/doc/draft-ietf-acme-ip/




-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu