IETF Logo Mail Archive

Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Paul Wouters <paul@nohats.ca> Wed, 10 June 2020 13:37 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16EED3A086D for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 06:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBfiHOuaRTq3 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jun 2020 06:37:44 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4644F3A0870 for <dns-privacy@ietf.org>; Wed, 10 Jun 2020 06:37:44 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49hp2Z08n6zMk4; Wed, 10 Jun 2020 15:37:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1591796262; bh=kuRWGiuxszZkFTWDQlTZdheT1LEtJA/LBfY4Iracby8=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=oWGwCvXn5vPPcqpIQ5YVVOpH2Oy6Pxt81V5y5C8ZV8UYfhgTWoIgeQE8/DU3ReyV7 seXK08S1GXyLO1aOjXd2Xss35FjwA1DYk2oA42ml145a8BaypTHZ/kn2R6cBZOM3jh LK/rmCqy9IOqw3Od2awZrxWKLFSfNbqx3zW8BDlI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id rkhOII9_0b2l; Wed, 10 Jun 2020 15:37:41 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 10 Jun 2020 15:37:40 +0200 (CEST)
Received: from [193.111.228.74] (unknown [193.111.228.74]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id C10386020D8A; Wed, 10 Jun 2020 09:37:39 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 10 Jun 2020 09:37:23 -0400
Message-Id: <EF30ADBD-3EFA-4224-8828-C6E019F03887@nohats.ca>
References: <CAHPuVdVJ2_DoPpb5C2ET8kEzvfDHACPNQP-2r__sVTQ76WmL4w@mail.gmail.com>
Cc: Christian Huitema <huitema@huitema.net>, dns-privacy@ietf.org
In-Reply-To: <CAHPuVdVJ2_DoPpb5C2ET8kEzvfDHACPNQP-2r__sVTQ76WmL4w@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
X-Mailer: iPhone Mail (17F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/U_P3VFPDDwaDVUWjYatwaSxv08Q>
Subject: Re: [dns-privacy] NS names, was re-evaluation of the draft, was Re: [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 13:37:47 -0000

On Jun 10, 2020, at 07:55, Shumon Huque <shuque@gmail.com> wrote:
> 
> 
> 
> The more I think about all the privacy leaks that have to be plugged at
> the DNS and application layers, Tor increasingly looks better as a
> general purpose solution (either as a network to funnel DNS messages
> through, or even better, having zone operators locate authority servers
> inside Tor as hidden services). It has a significant performance cost,
> but real privacy always does.

You don’t really mean tor, but you mean a shared pool of resolvers used by a large group that breaks the one on one relationship between queries and answers.

It’s fine if we connect to that using DoT or DoH.

I said it before, we need to have something like pool.ntp.org for DNS recursives. Where instanced also feed each other and do prefetching. Unfortunately, the competition here is large free DNS providers who kind of do the same thing but for different reasons and for which we don’t know what their privacy and filtering policies will be in 10 years, even if we trust them now.

The problem is detecting and ejecting rogue nodes before they can do real harm.

Paul

v2.23.0 | Report a Bug | By Email