IETF Logo Mail Archive

[dns-privacy] Operating System API support for DNS security policy

Iain Sharp <isharp@atis.org> Mon, 19 August 2019 09:56 UTC

Return-Path: <isharp@atis.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A3F120045 for <dns-privacy@ietfa.amsl.com>; Mon, 19 Aug 2019 02:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.688
X-Spam-Level:
X-Spam-Status: No, score=-2.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=atis.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OV0xTFAgjjU7 for <dns-privacy@ietfa.amsl.com>; Mon, 19 Aug 2019 02:56:43 -0700 (PDT)
Received: from us-smtp-delivery-174.mimecast.com (us-smtp-delivery-174.mimecast.com [216.205.24.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C0C12001A for <dns-privacy@ietf.org>; Mon, 19 Aug 2019 02:56:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atis.org; s=mimecast20190423; t=1566208602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=uv71BwVdQUxkKo53CApwZYsGyeiDfRxNque6hd0g9/E=; b=sA4bDgLo3buHkD4GM4tunZyAWX53m9eMQRQdk/kzYdteeJ8XS/eYawHWCFeeclpZZJfn6Q j7bDrYJkzgaFj7V5abtXiyQcrDyjeQ/TN2aIoa7FBOj91Y/Yc4fDhzro0iySb7J5veJeM2 g7PxYxSpx8HT26sMjl3RbG/quUxhE+U=
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03lp2058.outbound.protection.outlook.com [104.47.40.58]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-237-6IWv0FLaOzaX_XW_p8Va-g-1; Mon, 19 Aug 2019 05:56:40 -0400
Received: from MN2PR10MB4046.namprd10.prod.outlook.com (52.132.175.31) by MN2PR10MB4350.namprd10.prod.outlook.com (52.135.50.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Mon, 19 Aug 2019 09:56:37 +0000
Received: from MN2PR10MB4046.namprd10.prod.outlook.com ([fe80::59fd:33db:6bde:7a43]) by MN2PR10MB4046.namprd10.prod.outlook.com ([fe80::59fd:33db:6bde:7a43%3]) with mapi id 15.20.2178.018; Mon, 19 Aug 2019 09:56:37 +0000
From: Iain Sharp <isharp@atis.org>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: Operating System API support for DNS security policy
Thread-Index: AdVWc+IFAQCIla+6Tnq+4hdu11XGyg==
Date: Mon, 19 Aug 2019 09:56:37 +0000
Message-ID: <MN2PR10MB4046A5FC33FDE3192C93AA95B0A80@MN2PR10MB4046.namprd10.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [87.114.65.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f88cc0a2-ec49-4eb7-5daf-08d7248b86e1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(7168020)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR10MB4350;
x-ms-traffictypediagnostic: MN2PR10MB4350:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR10MB435012006C416A8F67BDE84AB0A80@MN2PR10MB4350.namprd10.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0134AD334F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(396003)(346002)(366004)(39830400003)(199004)(189003)(15404003)(2420400007)(15650500001)(7110500001)(2501003)(2906002)(33656002)(71200400001)(71190400001)(102836004)(186003)(7696005)(86362001)(99286004)(3846002)(6116002)(790700001)(26005)(486006)(476003)(2351001)(6436002)(25786009)(256004)(9686003)(55016002)(5640700003)(14444005)(53936002)(6506007)(66066001)(54896002)(8676002)(55236004)(316002)(66446008)(64756008)(66556008)(66946007)(76116006)(66476007)(14454004)(508600001)(6916009)(52536014)(74316002)(8936002)(81156014)(7736002)(5660300002)(6306002)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR10MB4350; H:MN2PR10MB4046.namprd10.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aAtlIURtumph5yGcBQKU+A2xkQzZhg3Wfks/8MdbeE5XQVXJpdNO+R9BiciV3j8hjem8U6pt8zZFfle1r9851S8jCyn9VMFcxU44+7DMst9Jur5XkT9IVF9WMgXb6JbapWGwnmcMB9tAGcR4tWPGY+krP2Y6c9K39mOfwftyd5OM0hwtHtWFvZ/mwlK/L064MxJdXKM2vHdQwFUaxdWUdzzCvpE0pnjhy6M2EB+WgZu3ce7xvXeijsseU1UAaz0aFNSxtbIT/NC0ud2BLsOm5c9GsgLPrTVJG/emKLULaYY/ep6jMPbn4phYwhjjE8764uJu/XHcnzBs+shNfL553x9+Fj6qOxxw6GCX16YZXGUTd3zxPYDplUzjESUZhiAzbJCFVCX4XHwHdUv19zNyAGJLnhTcTfEBczpS8Ue4E/c=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: atis.org
X-MS-Exchange-CrossTenant-Network-Message-Id: f88cc0a2-ec49-4eb7-5daf-08d7248b86e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2019 09:56:37.7005 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1c6cdebf-458e-4ef3-8f8e-96f15ccaa2b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rH6Nnr63QixLkczLnE6pOXpLp7Q6jngTrfn1KZk6qxqcl5MwcU6i3VCMImFKRFyj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4350
X-MC-Unique: 6IWv0FLaOzaX_XW_p8Va-g-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_MN2PR10MB4046A5FC33FDE3192C93AA95B0A80MN2PR10MB4046namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/DwjE7ExrPJqz1klMuvXpJWY_Jnc>
Subject: [dns-privacy] Operating System API support for DNS security policy
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 09:56:45 -0000

All,

DNS over TLS offers the ability to perform DNS queries over a TLS secured channel. In my understanding, DNS over TLS is not yet available in all operating systems, but operating system support could become common in future.

Many applications rely on operating system APIs to access DNS services. As native support of DNS over TLS rolls out in to operating systems it seems likely that some applications will wish to control the security policy that the operating system applies when it performs DNS resolution. For example, the application may wish to require that the operating system uses an encrypted DNS protocol.

Today, most operating systems use the getaddrinfo() function described in RFC3493 as the basis of their API for translating DNS names to IP addresses, but this does not have security policy attributes. Is anyone aware of any activity to enhance the RFC3493 work to add application control of security policy to the getaddrinfo()  capabilities?

Unless operating systems support secure DNS standards and expose APIs to allow applications to use them effectively then applications that require secure DNS have little choice other than to roll their own implementations.


Thanks

Iain

v2.23.0 | Report a Bug | By Email