IETF Logo Mail Archive

Re: [Doh] [Ext] Fallback to untrusted DOH servers

Ted Lemon <mellon@fugue.com> Mon, 23 April 2018 21:32 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3312C12D963 for <doh@ietfa.amsl.com>; Mon, 23 Apr 2018 14:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTYJLBERc12q for <doh@ietfa.amsl.com>; Mon, 23 Apr 2018 14:32:47 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF05712D95A for <doh@ietf.org>; Mon, 23 Apr 2018 14:32:46 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id w12-v6so19527538qti.4 for <doh@ietf.org>; Mon, 23 Apr 2018 14:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=NB6NadzNYV6MGQMCxic8LsiU2LHftyZrW8kaI1xY/Gg=; b=NJ4Dnryp0GMrOn+VYKsv6C4RpNp6T8yYzsn1AXGo2nPD5wVZATek4U2zb754RaFkoe WhMAihHR/hqDEDsGNtcRRa/KeZWT9bb1wj1vzoVCo1xRota3C2sofny2cCrOX6K+Gz9k OsNRm6a5VBZS6fXti89uwIYyRB5OewR8QgyUnHbaAhOKiX7YD+Zi995plZ53c1fpOrrE qaebU8jMX6uSWubetvebTRTrSlvt471arYElV4sK3+iOWQJWK0wq9KLQ0JggD6qk1UXv jlVwGDa2xbMtIELnehauq515I97GAUnnTklnX+Fc+ZZgDZsSYsprJxh0EnSn+Qh/xKj+ lM+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=NB6NadzNYV6MGQMCxic8LsiU2LHftyZrW8kaI1xY/Gg=; b=JtZG9KEMAo9eDZIaAt22hwaBrygAcYojkuOgHGy+ERCqvYPb+9y3+GMD1p98GQDexz XEMgx2BvccfKyu0Cba9ZLSnqjoPP7N3Cker35Dclp73/19RVLK7vGrjmvOQBlDerF4lj 3hx5LvKZPdGhU1Z9RrVazQraBdSkOb2VBf1OILPXrvV5uQNwM0zniyuC4jhg8MiyUfbe JekMcpDqakTvxjQFxhMRXXic+fWjxdHUJUxmrVFcrdMiM5n4iXvIP9U1li2SSOwL0KV4 aedE9fAkQGIls22ruFhFAKphnYe1KKg4AMHLr7cBnhonkK9CZMKW0zEOTOSYSTirJ4Nr kfuQ==
X-Gm-Message-State: ALQs6tDqbQsGeYGBEyV0b04HK+0GT2zwvMQUDAYGuLulM24nVHEqnBxR QChbXqQWD/DkeTkvehEq6eXHcbUlUbI=
X-Google-Smtp-Source: AIpwx4/GoCCzaLMTdi1rSTlZE0cq7zmECM01iURhMpJiBgEoi89gqSaJuZ6MqZcY7aB+lwyHyV6rvA==
X-Received: by 2002:ac8:30a1:: with SMTP id v30-v6mr25098145qta.296.1524519165488; Mon, 23 Apr 2018 14:32:45 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.nh.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id 6sm9676923qkj.55.2018.04.23.14.32.44 for <doh@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Apr 2018 14:32:44 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Mon, 23 Apr 2018 17:32:43 -0400
References: <f17cbdf0-cd88-9fa9-c83d-26e2cf13b8c1@o2.pl> <21B4DD30-46B0-4E63-833E-FDE66EF28F95@icann.org> <765e9e5a-9b8c-fa1c-85b5-da824807e609@o2.pl> <CAOdDvNrC6VGQtCYgLOoRvwCGn0kRJuchncFj4m5r_KZ-ig7=NA@mail.gmail.com> <28678acd-f67d-7f95-273f-26ed1115d3ee@o2.pl> <75B0BB57-A222-4328-A155-E5C351DEB7CC@icann.org> <3457562c-5576-18ea-a764-d485d870b5ea@o2.pl> <CAOdDvNqft5RwHcf1Ds-nzCZ=ha1weBTwbP4KzMLoHHwJQt0bVQ@mail.gmail.com> <46145a1e-99a9-405f-9f5c-4b85005feaf9@o2.pl> <BFBE3B13-15DF-45D5-8E8A-A4DC5B476357@icann.org> <CAHbrMsBHV5z5oNJrTvmvAPO79PRSufgGSY_NFePz34xNX4R+vQ@mail.gmail.com> <BF72EBFC-ACFB-49BE-BE7F-5F1AA81E73B0@bangj.com> <302013A3-DA11-4398-A226-64939FC4DA46@icann.org> <978B235F-9700-43DB-833B-C1AA02438E52@bangj.com>
To: DoH WG <doh@ietf.org>
In-Reply-To: <978B235F-9700-43DB-833B-C1AA02438E52@bangj.com>
Message-Id: <5B2F997F-E5DF-4A97-B73B-2EC699113898@fugue.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/ZhguXYk6ppwN8hdnFckiHuIGuvs>
Subject: Re: [Doh] [Ext] Fallback to untrusted DOH servers
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 21:32:49 -0000

Tom, it might be worth calling this working group's attention to the discussion that Cullen and I had a the DHC working group meeting a couple of years ago where Cullen was concerned because the working group didn't want to add certain DHCPv6 options, and the working group hadn't clearly articulated why that was.

The answer is that DHCP is good for configuring clients with options in cases where the motivation of the network operator and the consumer of a service or configuration provided by DHCP are in alignment, and not when they are not.   So for example you should never configure a host's SMTP submit server using DHCP, because the network operator may have motives other than being helpful for wanting to relay your SMTP traffic.

On the other hand, the network operator doesn't really have any motivation for sending you a wrong subnet mask, and while they may be interested in snooping your DNS traffic, the fact is that you need a DNS resolver to use the network unless you're going to do full recursive resolution on the host, so you pretty much have to either trust the network operator in this case.   IIRC Cullen rather effectively bashed me over the head with this example.

My point is that the DNS resolver is actually a very chancy example of a sensible DHCP option, and the more you think of the DNS resolver as a trusted service and the less you think of it as network infrastructure, the less sense it makes to configure it with DHCP (or, for that matter, ND).

Configuring a DoH server with DHCP seems to me, as I mentioned in a previous comment, to be a pretty questionable idea.   I do not support this work, because I think that it is counter to the goals of DoH generally.   The goal of DoH is to subvert the network operator's intentions with respect to DNS traffic.   That's completely incompatible with configuring DoH with DHCP (or RA).

The inability to reach your configured, trusted DoH server from the local network is an attack on the host.   You are trusting the thing that is attacking you to provide you with configuration information.   That just doesn't make sense.

If you really want to do this, the first step is to clearly state the threat model that you are addressing by providing DoH in this way, and to discuss all the threat models you are _not_ addressing by doing so.   And then compare this to the threat model that DoH-without-DHCP addresses, and see if there is actually any value added by the other solution.

It may be that there is value in automatically configuring DoH servers using network infrastructure.   If that's the case, we should try to clearly understand what the trust model is for such a configuration before proceeding to design the bits on the wire. :)

v2.23.0 | Report a Bug | By Email