Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Jul 16, 2019 at 1:02 PM Rob Sayre <sayrer@gmail.com> wrote:

>
>
> On Tue, Jul 16, 2019 at 12:53 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>> Taking a TRR-style system out of the equation for a moment. Suppose that
>> what I want is for all devices on my network to use a filtering resolver. I
>> don't expect any evasion because they're all my devices, it's just a matter
>> of convenience to centrally configure it. So what I do here is I configure
>> my DHCP server to provide the IP address of that resolver. Now, those
>> devices do unencrypted DNS because that's what everyone does. Now, suppose
>> that resolver starts offering DoT. How do my devices learn that
>> information? The resolver could tell them over DNS but then we have a
>> straightforward downgrade attack from anyone on the network. Do you agree
>> with this so far? Do you have a proposed solution?
>>
>
> In fairness, I'm not sure I quite follow. But, if I worked at a browser
> vendor, I would be worried about DoH rollout too. I think I'd gradually
> ratchet up the security signals in the location bar with the end result of
> marking sites insecure if their IP was fetched over DNS in the clear.
>

Ignoring the UI question, let me push a bit on "in the clear".

Currently, resolvers are configured by IP address, not domain name. So
absent mechanisms such as TRR, how does the DNS client form a secure
connection to the resolver? What domain name is in the certificate and how
does the client learn that domain name?

-Ekr




> This is distinct from choosing a DNS vendor.
>
> thanks,
> Rob
>
>
>
>