Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 25 September 2020 17:41 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29AA83A1091; Fri, 25 Sep 2020 10:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXS8Z3HsNarv; Fri, 25 Sep 2020 10:41:50 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DF493A1080; Fri, 25 Sep 2020 10:41:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id CC0323899F; Fri, 25 Sep 2020 13:20:22 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vA3uOYUXdcvP; Fri, 25 Sep 2020 13:20:21 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 801573899E; Fri, 25 Sep 2020 13:20:21 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 343734BB; Fri, 25 Sep 2020 13:41:46 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tirumal reddy <kondtir@gmail.com>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, opsawg <opsawg@ietf.org>, mud@ietf.org
In-Reply-To: <CAFpG3gdMxw2QGUFhWQELYT8oaMgVuvc5_hQf_Pfk3T3vwc2rmA@mail.gmail.com>
References: <160082461431.2339.6222888407127336620@ietfa.amsl.com> <15779.1600960819@localhost> <BCB5CBD9-78C0-471A-8C32-88E4FD406136@cisco.com> <CAFpG3gdMxw2QGUFhWQELYT8oaMgVuvc5_hQf_Pfk3T3vwc2rmA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 25 Sep 2020 13:41:46 -0400
Message-ID: <15491.1601055706@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/RbVJAxmoCTW4LzfUMHQ8B1lV83A>
Subject: Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 17:41:53 -0000

tirumal reddy <kondtir@gmail.com> wrote:
    > +1.  The problem is not just with public resolvers but also with
    > designated resolvers. The IoT device supporting MUD must use the
    > encrypted DNS server discovered in the attached network.

Yes-ish.

I don't think that we have to mandate use of encrypted DNS servers,
as long as it's the ones on the attached network.

My take is that it is better to use Do53 across the local LAN than public DoH
server.   If the IoT device can be convinced to use the local DoT server, great.
But, your documents in ADD are clearly trying to get there, but we aren't
there yet.

I've been looking for a YANG module that would allow for explicit management
of "/etc/resolv.conf" on a device.  If there is one, I don't know where it
would be.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide