Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 28 September 2020 18:39 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 582913A1353; Mon, 28 Sep 2020 11:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weKSvcYoBJhW; Mon, 28 Sep 2020 11:39:21 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA553A1351; Mon, 28 Sep 2020 11:39:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D364E389B3; Mon, 28 Sep 2020 14:44:09 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id t9mpeEPRQZV3; Mon, 28 Sep 2020 14:44:05 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id BC11D389B1; Mon, 28 Sep 2020 14:44:05 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C92F6570; Mon, 28 Sep 2020 14:39:15 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tirumal reddy <kondtir@gmail.com>
cc: opsawg <opsawg@ietf.org>, mud@ietf.org, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, paul vixie <paul@redbarn.org>
In-Reply-To: <CAFpG3gchO6HRVVN_xV_8noD=9fsnxhMgK8x3ZiX0xnb7b4LBVg@mail.gmail.com>
References: <160082461431.2339.6222888407127336620@ietfa.amsl.com> <15779.1600960819@localhost> <BCB5CBD9-78C0-471A-8C32-88E4FD406136@cisco.com> <CAFpG3gdMxw2QGUFhWQELYT8oaMgVuvc5_hQf_Pfk3T3vwc2rmA@mail.gmail.com> <15491.1601055706@localhost> <CAFpG3gc-PoAdvCB5p201-uZrMsdi4Cr1hR_YM-z2bgD9tvZVUw@mail.gmail.com> <27239.1601161357@localhost> <CAFpG3gchO6HRVVN_xV_8noD=9fsnxhMgK8x3ZiX0xnb7b4LBVg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Mon, 28 Sep 2020 14:39:15 -0400
Message-ID: <1707.1601318355@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/lEoR3XCpitGsytEZk6JpMm7XELw>
Subject: Re: [OPSAWG] [Mud] changes to draft-richardson-opsawg-mud-iot-dns-considerations-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 18:39:23 -0000

tirumal reddy <kondtir@gmail.com> wrote:
    >> Except in some very niche digital signage and kiosk use, I don't think
    >> a MUD file would be appropriate for a general-purpose browser.
    >>

    > I quoted Firefox as an example, the proposed mechanism of using SUDN to
    > discover the ISP encrypted DNS resolver is generic and not specific to
    > browsers.

    > If the endpoint cannot discover the local encrypted DNS
    > server (hosted on the CPE) using DHCP/RA, the endpoint will fallback to
    > using SUDN to discover the one hosted by the ISP.

Yeah, but, we really don't want this.

Way better, in my opinion, for privacy,security (MUD), and device ownership
if the IoT device sticks with Do53 on the LAN, rather than encrypted DNS to the ISP.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide