IETF Logo Mail Archive

Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

Paul Wouters <paul@nohats.ca> Tue, 19 August 2014 21:01 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9749D1A04C5 for <dns-privacy@ietfa.amsl.com>; Tue, 19 Aug 2014 14:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.668
X-Spam-Level:
X-Spam-Status: No, score=-2.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkFGbBp0QGH0 for <dns-privacy@ietfa.amsl.com>; Tue, 19 Aug 2014 14:01:18 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53D191A013B for <dns-privacy@ietf.org>; Tue, 19 Aug 2014 14:01:18 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 14A2C81790; Tue, 19 Aug 2014 17:01:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1408482077; bh=qGftZ3ok/wOK7qNInSQUCTv8Rkfs0tiyJJvInR9fAb4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=NbRwID+LNIevjJo+tdm669ap41Tc1jGgd3Ry5orFZvat9y3pOCImywjenEduHdPrQ 07CuCyrIO0XDe9ZvI15eu4SkfRiEUgw9L3ZQqQ505JQr2SxmsgSYfYAq1AUBG61pVU 4oFXMmCxB2LmZ0G0IVIzvgD1+OaV2BDfc7cZR6k8=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s7JL1EBM001690; Tue, 19 Aug 2014 17:01:14 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 19 Aug 2014 17:01:14 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
Message-ID: <alpine.LFD.2.10.1408191650420.22835@bofh.nohats.ca>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <CAJE_bqeoUx2gFsnVgZYfoWASkHaMgKW4tR552YRmQ4ZNzH1M=g@mail.gmail.com> <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/Tqz9LIBY59fDPbo4Eo1nzOnZ3Ms
Cc: dns-privacy@ietf.org, 神明達哉 <jinmei@wide.ad.jp>
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 21:01:19 -0000

On Tue, 19 Aug 2014, Paul Hoffman wrote:

>> I wonder this 'MUST' may be too strong (or I don't fully understand
>> the sense of this MUST).  Since the upstream recursive resolver may or
>> may not support the TLS extension, the DNS forwarder may end up giving
>> up the resolution altogether.  But depending on the stub clients'
>> policy it may be still better to provide encryption between the stub
>> and the forwarder.
>
> Good catch. Proposed replacement to handle the case where the recursive resolver doesn't do TLS:
>
>  A stub resolver cannot tell whether it is sending queries to a
>  recursive resolver or to a DNS forwarder.  Therefore, a DNS forwarder
>  that acts as a TLS server for DNS requests MUST also attempt to act as a TLS
>  client for queries to its upstream recursive resolvers, but MAY
>  use the normal DNS protocol on port 53 if an upstream recursive
>  resolver does set up a TLS session.

A resolver at a coffee shop is mostly concerned about protecting the DNS
in the public wifi, and might not worry at all about its DSL uplink,
especially when it has no real reason to trust its own uplink. So I
would just make it very generic:

   a DNS forwarder that acts as a TLS server for DNS requests SHOULD
   attempt to use TLS with its upstream resolver(s) to maximize the
   anonymity of its stub clients.

> Sure, let's be explicit. Proposed addition to the policy section:
>
> If a recursive resolver does not respond on port 443 or set up a TLS session, the stub resolver MAY use the normal DNS protocol on port 53.

MAY sounds a little odd here. If there is no preconfiguration for
authenticating this resolver, I don't think we should advise
stubs to refuse to do DNS completely, which is what the MAY is
suggesting as a valid option. (this is breaking the "opportunistic
security design pattern recommendation advise" :)

How about:

 	If a recursive resolver for which an authentication method is
 	available does not respond on port 443 or fails to set up a TLS
 	session, the stub resolver SHOULD NOT use that resolver over
 	unencrypted DNS using port 53. If no authentication method is
 	available for the recusive resolver, the stub resolver SHOULD
 	fallback to using cleartext DNS on port 53.

Paul

v2.23.0 | Report a Bug | By Email