[ksk-rollover] IoT devices and KSK rollover
Fred Baker
fredbaker.ietf at gmail.com
Wed Jun 12 22:23:22 UTC 2019
On Jun 12, 2019, at 2:38 PM, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
> I don't think that DoH is a useful thing for IoT.
I suspect there are a couple of issues. One is that DNS (RFC 1034 and so on) sends a packet and gets a response packet. Doing the same thing with HTTPS (HTTP 2.0, presumably, TLS, and TCP) requires session setup at two layers plus the overhead of parsing HTTP to accomplish the same thing. To my way of thinking, IPsec requires a single additional header plus whatever state is required to ensure that one is talk with the right party and perhaps encrypting that. I don't see what the imposition of several layers of software buys - not just for IOT, but for anything.
In addition, DOH takes DNS service out of the domain that is managing the IOT cloud, which may not be what the owner of the device intends. There is a business issue in that. An analogous one is national: Turkey imposed a regulation saying certain names should not be accessible in Turkey, Turk Telecom imposed a DNS filter, people went to 8.8.8.8 to bypass the filter, and Turk Telecom wound up hijacking that particular route. If a company for its own reasons wants its users to use its own resolver, DOH gives a random device vendor the means to violate that security provision.
I tend to think that if someone wants to implement DOH, that's fine, but corporate IT needs to ability to impose its own policy there. It needs to be possible to force the use of the DNS protocol rather than HTTPS, to specify the address and key of a chosen DOH server, etc.
I can write that up in an I-D if it helps.
--------------------------------------------------------------------------------
Victorious warriors win first and then go to war,
Defeated warriors go to war first and then seek to win.
Sun Tzu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190612/8cb610d1/signature.asc>
More information about the ksk-rollover
mailing list