Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Sat, 18 Aug 2018 18:22:07 -0700 



Ted Lemon wrote:

The thing is that most devices don't connect to just one network.   So
while your devices on your network can certainly trust port 853 on your
network, when they roam to other networks, they have no reason to trust
it.


that's far afield of my stated use-case.


if i receive advice and pre-shared key, concerning tcp/853, from my dhcp 
server, the tcp/853 service i'm advised to use may not be on my own 
network, it could be part of my corporate VPN, or an anycasted 
commercial service, or almost anywhere else.



in that case, my DHCP transaction was local, and my resulting TCP/853 
transactions won't be local. and in that case i will have a greater 
reason to trust the pre-shared key and the TCP/853 advice because of 
where i received it, than i would have reason to trust privacy or 
integrity of the path to a UDP/53 + TCP/53 ("traditional DNS") server.



roaming is another matter, because in those cases, i'll speak DHCP to 
some new network provider, and will receive some advice concerning an 
RDNS service from that new DHCP transaction, which will obviate any 
previous advice, or whether i took that advice, or how trustworthy that 
advice turned out to be.



... If you have devices that never roam to other networks, that's
fine, but we have to design for the more general case.   There's no way
with DHCP for the device to tell that it's connected to a particular
network, other than matching IP addresses, which isn't a great idea.



if i'm not roaming, i won't receive RDNS advice from the other DHCP 
servers that i never come into contact with. this seems a non-sequitur.



if i am roaming, then anyone who hands me an address via DHCP should 
feel free to advise me as to what DNS service i use, including a TCP/853 
service for which a pre-shared key may be needed. because the network 
operator may forbid and prevent the use of other DNS services which i 
may prefer, it would be wise for me to listen to that advice, and 
consider following it, especially if my usual service can't be reached 
while operating on said network.



roaming is off-topic. DHCP authentication and integrity is off-topic. 
this is a simple proposal to allow a network operator to include TCP/853 
("DoT") advice including pre-shared keys in their DHCP responses. it 
ought to be drama-free.


--
P Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
























					Reply via email to