IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

Neil Cook <neil.cook@noware.co.uk> Wed, 27 November 2019 14:55 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848E312096D for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:55:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9fEuDJP5xgA for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:55:09 -0800 (PST)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id D65E4120966 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:55:09 -0800 (PST)
Received: from [192.168.1.170] (unknown [81.151.217.120]) by mail.noware.co.uk (Postfix) with ESMTPSA id 98AE21C6541; Wed, 27 Nov 2019 14:44:38 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Neil Cook <neil.cook@noware.co.uk>
In-Reply-To: <20191127142842.GA18601@nic.fr>
Date: Wed, 27 Nov 2019 14:55:08 +0000
Cc: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <04A83ADF-C347-49C2-AB8D-D6D905C179A7@noware.co.uk>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <20191127142842.GA18601@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3601.0.10)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrudeihedgieekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffgkffnvefqqffmnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqeenucfkphepkedurdduhedurddvudejrdduvddtnecurfgrrhgrmhepihhnvghtpeekuddrudehuddrvddujedruddvtddphhgvlhhopegludelvddrudeikedruddrudejtdgnpdhmrghilhhfrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqpdhrtghpthhtohepsghorhhtiihmvgihvghrsehnihgtrdhfrhdprhgtphhtthhopefvihhruhhmrghlvghsfigrrhftvgguugihpgfmohhnuggrsefotgetfhgvvgdrtghomhdprhgtphhtthhopegunhhsqdhprhhivhgrtgihsehivghtfhdrohhrghdprhgtphhtthhopehphhhilhhlsehhrghllhgrmhgsrghkvghrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/EpLesGdUiH5trLnNQueL7d1siR0>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:55:10 -0000


> On 27 Nov 2019, at 14:28, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> If you use DoH/DoT, it is because you don't trust the access network.

It says nothing about whether you trust the access network. You *may* be using DoH/DoT because you don’t trust the access network. However, you may trust the access network for example, but the resolver it gives you may be located somewhere else entirely and your queries may be transiting over an untrusted network.

> Relying on it to
> indicate a DoH/DoT resolver is pointless.
> 

You’re conflating the lack of trust in the access network with discovery. Yes, if you don’t trust the access network then you may not want to use a discovery protocol to indicate the best way to contact the resolver over DoT/DoH. 

However what if you have configured a resolver manually using an IP address, and want to opportunistically upgrade to DoT/DoH if the resolver supports it?

Neil

v2.23.0 | Report a Bug | By Email