IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 26 November 2019 18:13 UTC

Return-Path: <stephane@sources.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 622DF120A57 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9pOdiJCas8wt for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 10:13:09 -0800 (PST)
Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AC8D120A41 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 10:13:09 -0800 (PST)
Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 379C6A02A0; Tue, 26 Nov 2019 19:13:08 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id 613E1C9571; Tue, 26 Nov 2019 19:08:13 +0100 (CET)
Date: Tue, 26 Nov 2019 19:08:13 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, dns-privacy@ietf.org
Message-ID: <20191126180812.GB4452@sources.org>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 10.1
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/JUoFBIVbCxZngDB6g4l-KQAJ-wY>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 18:13:11 -0000

On Tue, Nov 26, 2019 at 09:51:14AM -0800,
 Brian Dickson <brian.peter.dickson@gmail.com> wrote 
 a message of 98 lines which said:

> However, if the only place the client is able to establish an
> encrypted path to is a forwarder, this leave open the possibility
> that the forwarder->(forwarder->[...])->resolver might involve one
> or more unencrypted connections.

I'm not sure I understand the problem. This case is just an instance
of a more general problem "the machine you talk with may betray you
and no amount of cryptography will help here". The resolver can send a
copy of all your requests to the NSA (or its chinese equivalent), or
it could use a forwarder over an unencrypted connection. What's the
difference?

v2.23.0 | Report a Bug | By Email