Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal

Joe Abley <jabley@hopcount.ca> Tue, 10 July 2018 16:47 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB235131127 for <driu@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_VouCZDr5hy for <driu@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:40 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC48D131032 for <driu@ietf.org>; Tue, 10 Jul 2018 09:47:37 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id b22-v6so6453832lfa.3 for <driu@ietf.org>; Tue, 10 Jul 2018 09:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=6J6A+vP8PvPMWUyi3RHqDp0tRbsGRA+uorGsYvr/7TQ=; b=Frs75OXH1NAlA6UwE4eOCBrXm2WCxt7LVaPzbyscQVJUZH6aZGlXxODzbsB3wfUvJv GOsoKL1Kr5O62HtTa7BUaoWj2nQzB6RJqSLE0lfwbz0a6go9RJK40WinWOnDltnvzn+g LrORxDlHM4IxDBguur9691e3d+MKRIemskU9c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=6J6A+vP8PvPMWUyi3RHqDp0tRbsGRA+uorGsYvr/7TQ=; b=TUPty2J0f1xvUL4odMwh43FAhT3ZIw3792nE8H3qDca3P6hxEVtOxxTAd6JzUr5k66 ZlFUvP+klM1ChuaKyt6FKNb4CpGqGBARU6vdWijQ+bj/+5etLsTFZ/9clIZxIhEkO4IS ohb0aTFV71xaWewjRJcWkaSwrkj0EEhCvHKXil3je6TUMnhh4mhHnSY97RxlvUFEjemz khhFFkuLBfkMDcXwZv75JJ49MXvdOYit8ed+AxmG7u6F21rv0OMtkLnP9q/1/sfuu4KG xPi73UWN6+QHSJYWLGl4dCbXIvcoWz2c08WLGSueo6s4vr3jAO6Ug2HZaAFqsZaNNApT oQGg==
X-Gm-Message-State: APt69E3MAcduR+ojxuv0TugpsvX/5K6EKWJGrMO1C/iXTEDnUTxThTqU IZtTyPj348ut/HGpQK1JPACXdAecO9eeIv9bdejMIA==
X-Google-Smtp-Source: AAOMgpeX/jNQLA9S56MDTer5E/vlgm/Fubh4P0D2suiKOXjLvP/i4zyXAQwL5gEqzwq0qERS17kAVb4BcZe/kI1Xpe4=
X-Received: by 2002:a19:1f4b:: with SMTP id f72-v6mr3314407lff.42.1531241256022; Tue, 10 Jul 2018 09:47:36 -0700 (PDT)
Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Tue, 10 Jul 2018 09:47:35 -0700
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
References: <m1fcoe5-0000GuC@stereo.hq.phicoh.net> <alpine.LRH.2.21.1807101056140.5219@bofh.nohats.ca> <4a845808-5348-d6e4-dda2-59aaf0e85c14@nostrum.com> <3DF5A66C-CCBF-4116-A1FC-35CF8E05808B@hopcount.ca> <e1675184-f0bc-670d-3db1-b99a9daf1657@nostrum.com> <CAJhMdTOZtOpF_aK-ZzP0DfkDMcAtTKFLdSpKkrSPvP1cOgnOjQ@mail.gmail.com> <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
In-Reply-To: <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
Date: Tue, 10 Jul 2018 09:47:35 -0700
Message-ID: <CAJhMdTN41Ko7MDkHihfVuSdOCKitKsv-n2Asyr-Kg8UASXYdvw@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Adam Roach <adam@nostrum.com>, DoH WG <doh@ietf.org>, driu@ietf.org, dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Patrick McManus <pmcmanus@mozilla.com>, Philip Homburg <pch-dnsop-3@u-1.phicoh.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000021bd490570a7e349"
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/OcDma9z-uRB9-_us3w1WgiAhkp0>
Subject: Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 16:47:47 -0000

On Jul 10, 2018, at 17:41, Ted Lemon <mellon@fugue.com>; wrote:

On Tue, Jul 10, 2018 at 12:34 PM, Joe Abley <jabley@hopcount.ca>; wrote:

> > But this is really equivalent in just about every important way to
> sending the normal <img src="https://example.com/img/f.jpg"> along with a
> pushed DNS record that indicates that "example.com" resolves to
> "192.0.2.1" -- and this latter thing is (to my understanding, at least) in
> scope of the conversation that Patrick is proposing to have.
>
> My question is why you would involve the DNS at all if all the
> performance-based resolution decisions can be made without it. You're
> just adding cost and complexity without benefit


The ip= modifier would be a great way to arrange for something to look like
it came from a different source than its actual source.   I'm sure there's
an attack surface in there somewhere.


I'm haven't thought hard enough to say what vulnerability that would enable
that wasn't already there using unsigned zones (because enterprise DNS
tricks or some other reason) but you're probably right.


Joe