IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 26 November 2019 18:22 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856DA1209C3 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8pKFzITHkE2 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 119B21209B5 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id y13so1014971vsd.9 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 10:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+X7aZdaCeLWzYYB1x4jbv2fAeHK9KKHyuAxFPOPELOY=; b=JVxQ5BgH0J2t4lTJZ65PtkJ91jnP2sAe7mXdXt4ptLzRdWZlcmRW5KUo8gIdyA31Kh CYbsuHzIXyzWg4/JI6PxWToOQD9fNHKxLnrcNKfygwy37il/8skAJEdgqtgRky8Ml1+5 VePxKrJlNW8nNCmBEO9U5YIoPplpG4dVk8hU7/G9CvQycAsBfEUFFKpE9+YRLj6onXWs Ia2N3wBA72R7C1vNW+jCrt7uzG0xWvEVHh98nCa6qPXm+2DcXghOdp6QUC9u98bnVZB5 J3ly+/3skai9XbqTkpRDS71/tMK13k5Cz8EuWonVj/zH0Ti1RBZKE+BYBwkRVJkmC+ve WZ6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+X7aZdaCeLWzYYB1x4jbv2fAeHK9KKHyuAxFPOPELOY=; b=D1scGCqAhVAtYDWCwH4WAsEIv0pTpk0ojRP51M/jpVV7lX7jGRTdylnne2Nqkvls8R aCtrI6x50KH1IIb8zykQIsR+nSTaEfZy7nGgWu1cZRWSP56L7OU4+8yFjtgsiWUWc9Bo Ox+f3Zown20mW3IkMXXaQhiWY350Uv6GBPh9Y2Zl9x0A0NtuyZ3BcCUl3DiqNMat+kaT zvuG9j77vlyevM1XuYzJd5Iw5XNDKDJqwwmkjUtyspne2ieiGsRLLqOMLIk45fqsbIzg Ad6zWYR98vNrSloNB7ZtQ5UiXw4yWtHz7rmXdIHg8Ibmdeo0KswMAAGgd3Mcm9zXwzO9 meAw==
X-Gm-Message-State: APjAAAWXai2NIJujfjwS4mT9ott6sMjKqVqM0L6H1d0lQ5HLsKiF6aKA CUbH7mG54TY4payHScEWqNkSsYdlKDQiKc5ms9A=
X-Google-Smtp-Source: APXvYqxr8nYxMjGpKllfvEZCaMsWh8JPWkTHO9vURyMO1iLSSf+9W1VsdMcNQGNF2JEaMkE/uz1XZ8g578mdP4RY74Q=
X-Received: by 2002:a67:db10:: with SMTP id z16mr23561648vsj.5.1574792559047; Tue, 26 Nov 2019 10:22:39 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com> <20191126180812.GB4452@sources.org>
In-Reply-To: <20191126180812.GB4452@sources.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 26 Nov 2019 10:22:26 -0800
Message-ID: <CAH1iCiqgY9ZgLUhcL6A-3h=O-_3N5ueBJFBnEWcdMDLvx-v5YQ@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013b9e5059843f7f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/CrLy1YJI9OIL1VI-W_3V-IpPcr8>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 18:22:41 -0000

On Tue, Nov 26, 2019 at 10:13 AM Stephane Bortzmeyer <bortzmeyer@nic.fr>
wrote:

> On Tue, Nov 26, 2019 at 09:51:14AM -0800,
>  Brian Dickson <brian.peter.dickson@gmail.com> wrote
>  a message of 98 lines which said:
>
> > However, if the only place the client is able to establish an
> > encrypted path to is a forwarder, this leave open the possibility
> > that the forwarder->(forwarder->[...])->resolver might involve one
> > or more unencrypted connections.
>
> I'm not sure I understand the problem. This case is just an instance
> of a more general problem "the machine you talk with may betray you
> and no amount of cryptography will help here". The resolver can send a
> copy of all your requests to the NSA (or its chinese equivalent), or
> it could use a forwarder over an unencrypted connection. What's the
> difference?
>
>
The difference is whether the problem is fundamentally unsolvable vs a
solvable problem.

Clearly, a resolver which betrays your trust deliberately can't be fixed
with any technology, it's a layer-8 or layer-9 problem.

However, a forwarder chain may not be intentionally insecure, and may only
be the result of naive designs or lack of vendor support.

The resolver at the end of the forwarder chain may actually be trustworthy,
so having a way of talking directly to it, solves the issue.

It also does so in a way that does not adversely affect the DNS ecosystem,
and in fact doesn't adversely affect the resolver itself.

A forwarder (or chain of forwarders, or tree of forwarders rooted at the
resolver) sends every query to the resolver. Connecting directly to the
resolver does not change that load, it merely bypasses middle boxes that
are value-subtract devices.

If anything, DNS resolution should improve, since it would (in theory, at
least) reduce latency, and possibly reduce loss caused by (DNS) application
queueing compared to strict network-level (hardware) queue use.

Brian

v2.23.0 | Report a Bug | By Email