Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 26 November 2019 18:22 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856DA1209C3 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8pKFzITHkE2 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 119B21209B5 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id y13so1014971vsd.9 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+X7aZdaCeLWzYYB1x4jbv2fAeHK9KKHyuAxFPOPELOY=; b=JVxQ5BgH0J2t4lTJZ65PtkJ91jnP2sAe7mXdXt4ptLzRdWZlcmRW5KUo8gIdyA31Kh CYbsuHzIXyzWg4/JI6PxWToOQD9fNHKxLnrcNKfygwy37il/8skAJEdgqtgRky8Ml1+5 VePxKrJlNW8nNCmBEO9U5YIoPplpG4dVk8hU7/G9CvQycAsBfEUFFKpE9+YRLj6onXWs Ia2N3wBA72R7C1vNW+jCrt7uzG0xWvEVHh98nCa6qPXm+2DcXghOdp6QUC9u98bnVZB5 J3ly+/3skai9XbqTkpRDS71/tMK13k5Cz8EuWonVj/zH0Ti1RBZKE+BYBwkRVJkmC+ve WZ6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+X7aZdaCeLWzYYB1x4jbv2fAeHK9KKHyuAxFPOPELOY=; b=D1scGCqAhVAtYDWCwH4WAsEIv0pTpk0ojRP51M/jpVV7lX7jGRTdylnne2Nqkvls8R aCtrI6x50KH1IIb8zykQIsR+nSTaEfZy7nGgWu1cZRWSP56L7OU4+8yFjtgsiWUWc9Bo Ox+f3Zown20mW3IkMXXaQhiWY350Uv6GBPh9Y2Zl9x0A0NtuyZ3BcCUl3DiqNMat+kaT zvuG9j77vlyevM1XuYzJd5Iw5XNDKDJqwwmkjUtyspne2ieiGsRLLqOMLIk45fqsbIzg Ad6zWYR98vNrSloNB7ZtQ5UiXw4yWtHz7rmXdIHg8Ibmdeo0KswMAAGgd3Mcm9zXwzO9 meAw==
X-Gm-Message-State: APjAAAWXai2NIJujfjwS4mT9ott6sMjKqVqM0L6H1d0lQ5HLsKiF6aKA CUbH7mG54TY4payHScEWqNkSsYdlKDQiKc5ms9A=
X-Google-Smtp-Source: APXvYqxr8nYxMjGpKllfvEZCaMsWh8JPWkTHO9vURyMO1iLSSf+9W1VsdMcNQGNF2JEaMkE/uz1XZ8g578mdP4RY74Q=
X-Received: by 2002:a67:db10:: with SMTP id z16mr23561648vsj.5.1574792559047; Tue, 26 Nov 2019 10:22:39 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com> <20191126180812.GB4452@sources.org>
In-Reply-To: <20191126180812.GB4452@sources.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 26 Nov 2019 10:22:26 -0800
Message-ID: <CAH1iCiqgY9ZgLUhcL6A-3h=O-_3N5ueBJFBnEWcdMDLvx-v5YQ@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013b9e5059843f7f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/CrLy1YJI9OIL1VI-W_3V-IpPcr8>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 18:22:41 -0000
On Tue, Nov 26, 2019 at 10:13 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > On Tue, Nov 26, 2019 at 09:51:14AM -0800, > Brian Dickson <brian.peter.dickson@gmail.com> wrote > a message of 98 lines which said: > > > However, if the only place the client is able to establish an > > encrypted path to is a forwarder, this leave open the possibility > > that the forwarder->(forwarder->[...])->resolver might involve one > > or more unencrypted connections. > > I'm not sure I understand the problem. This case is just an instance > of a more general problem "the machine you talk with may betray you > and no amount of cryptography will help here". The resolver can send a > copy of all your requests to the NSA (or its chinese equivalent), or > it could use a forwarder over an unencrypted connection. What's the > difference? > > The difference is whether the problem is fundamentally unsolvable vs a solvable problem. Clearly, a resolver which betrays your trust deliberately can't be fixed with any technology, it's a layer-8 or layer-9 problem. However, a forwarder chain may not be intentionally insecure, and may only be the result of naive designs or lack of vendor support. The resolver at the end of the forwarder chain may actually be trustworthy, so having a way of talking directly to it, solves the issue. It also does so in a way that does not adversely affect the DNS ecosystem, and in fact doesn't adversely affect the resolver itself. A forwarder (or chain of forwarders, or tree of forwarders rooted at the resolver) sends every query to the resolver. Connecting directly to the resolver does not change that load, it merely bypasses middle boxes that are value-subtract devices. If anything, DNS resolution should improve, since it would (in theory, at least) reduce latency, and possibly reduce loss caused by (DNS) application queueing compared to strict network-level (hardware) queue use. Brian
- [dns-privacy] Trying to understand DNS resolver '… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Andrew Campling
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Kenji Baheux
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Vittorio Bertola
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Phillip Hallam-Baker