Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal
Philip Homburg <pch-dnsop-3@u-1.phicoh.com> Tue, 10 July 2018 17:32 UTC
Return-Path: <pch-bCE2691D2@u-1.phicoh.com>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB97D131194; Tue, 10 Jul 2018 10:32:22 -0700 (PDT)
X-Quarantine-ID: <9TF0ePKQLBHg>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TF0ePKQLBHg; Tue, 10 Jul 2018 10:32:20 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DE37131188; Tue, 10 Jul 2018 10:32:20 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fcwUq-0000GvC; Tue, 10 Jul 2018 19:32:16 +0200
Message-Id: <m1fcwUq-0000GvC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Ted Lemon <mellon@fugue.com>
Cc: DoH WG <doh@ietf.org>, driu@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
From: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
Sender: pch-bCE2691D2@u-1.phicoh.com
References: <m1fcoe5-0000GuC@stereo.hq.phicoh.net> <alpine.LRH.2.21.1807101056140.5219@bofh.nohats.ca> <4a845808-5348-d6e4-dda2-59aaf0e85c14@nostrum.com> <3DF5A66C-CCBF-4116-A1FC-35CF8E05808B@hopcount.ca> <e1675184-f0bc-670d-3db1-b99a9daf1657@nostrum.com> <CAJhMdTOZtOpF_aK-ZzP0DfkDMcAtTKFLdSpKkrSPvP1cOgnOjQ@mail.gmail.com> <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
In-reply-to: Your message of "Tue, 10 Jul 2018 12:41:46 -0400 ." <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
Date: Tue, 10 Jul 2018 19:32:15 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/_ymFYrsvX4asEEfj6NuasR4CEWY>
Subject: Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 17:32:24 -0000
>The ip= modifier would be a great way to arrange for something to look like >it came from a different source than its actual source. I'm sure there's >an attack surface in there somewhere. That's a rather fundamental issue. In the context of TLS, and a DNSSEC insecure zone, there are two realistic attack scenarios: - an attack on DNS that returns different addresses for a DNS lookup - a routing attack, that reroutes traffic. Both types of attacks are realistic and happen quite frequently. If we decide that TLS is strong enough to defend against these attacks, then there is no need to secure the DNS lookup, other than to reduce the risk of denial of service and for privacy reasons. Then such an ip= modifier would be fine, because the worst thing that can happen is denial of service. On the other hand, if we don't trust TLS, then we have a bit of a problem. Too many people using public resolvers. Route hijacks are quite easy, etc.
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Patrick McManus
- Re: [Driu] [Doh] Resolverless DNS Side Meeting in… manu tman
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Philip Homburg
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Paul Vixie
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Tim Wicinski
- Re: [Driu] [Doh] Resolverless DNS Side Meeting in… Patrick McManus
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Paul Wouters
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Paul Wouters
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Patrick McManus
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Ted Lemon
- [Driu] Resolverless DNS Side Meeting in Montreal Patrick McManus
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Patrick McManus
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Philip Homburg
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Paul Wouters
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Daniel Kahn Gillmor
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Tony Finch
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Mike Bishop
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- [Driu] SRV and HTTP Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Ólafur Guðmundsson
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Dave Lawrence
- Re: [Driu] [DNSOP] SRV and HTTP Dave Lawrence
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] SRV and HTTP - 18:30 Tuesday Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Patrik Fältström
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Petr Špaček
- Re: [Driu] SRV and HTTP Leif Hedstrom
- Re: [Driu] [DNSOP] SRV and HTTP Patrik Fältström
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Mike Bishop
- Re: [Driu] [DNSOP] SRV and HTTP Nico Williams
- Re: [Driu] [Doh] [DNSOP] SRV and HTTP Joseph Lorenzo Hall
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Nico Williams
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] SRV and HTTP - 18:30 Tuesday (room cha… Mark Nottingham
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Shane Kerr
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Jim Reid
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Tim Wicinski
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Ray Bellis
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Patrick McManus
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Sebastiaan Deckers
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Adam Roach
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Adam Roach