Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Livingood, Jason" <Jason_Livingood@comcast.com> Wed, 27 November 2019 16:15 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED710120A3B for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 08:15:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=LvHs5qWX; dkim=pass (2048-bit key) header.d=comcast.com header.b=NVpwdG6J; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=Op2V6QFb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ar-fGSAcEo4J for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 08:15:29 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77AF0120A17 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 08:15:09 -0800 (PST)
Received: from pps.filterd (m0184894.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xARGBof1030777 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 11:15:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=20190412; bh=/e4Zfh61nbn2bwWfT2iiIrf0bsNZrFAyTouVGnFlR48=; b=LvHs5qWXkppWHQDqbbV5n2sFfSfbot9YuusMkWkzoprljUgICCRY48bcX91oRxaVI5G7 ifNCeGOSI7iqUNEiOXXWtoZbJIoxMD6xL143rzCPE6qyh3QN69wNrhRLyeCfbYcRHliB ZQzBpOaRw8EmB7xR/NlwRNINB/dMPWx16ie4YiERpR1P+sIwB8cHge+WxOyDYl9kkqCI 917zXUmYB/pUzzYW8un/zhoBEKOjpUX/EJA09+sIsoufZbM+oZkkxUYd3n5QfbizrJ2I 6L6J6y7Xz6hzxnqBRfz65IDXKhpTRmNtaGKF0ljfUTEO4/lXVDJeLAnLcObeBpOUpdDW rw==
Received: from vaadcmhout02.cable.comcast.com (vaadcmhout02.cable.comcast.com [96.114.28.76]) by mx0a-00143702.pphosted.com with ESMTP id 2whcx9wepr-84 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 11:15:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1574871308; x=2438784908; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/e4Zfh61nbn2bwWfT2iiIrf0bsNZrFAyTouVGnFlR48=; b=NVpwdG6JMw66BkM8QG6lpbA+P85uxQl7YnfPBgb7EST74mdz0cbiDCwPI4u4r9H2 qOn1j46Yo5Vhv3c+Z3IrSO2ny11/p9n48j+3EadEvwbdG+jsOn0ayE2xT+x521Z7 hhe9j9v8cdh/znUIJh4giRvOex0metNJjNftlZLCfA7bVYRTVNpvI1yKujn3SELy lZvzr1G0RjDnEWnzPfsiVn4eusXvJragl+sdLmjrAIIwB/erb7cIPzgXlX5psHxS zn+wdlYP0W1lnU4yniTY6dFz6OBPV0eU+mmsOSODB1gSURQxqpbeCTur7JlEeEiD 7hD3tPguMpq8SiUOSpfE8w==;
X-AuditID: 60721c4c-a33ff70000003748-81-5ddea10cacd8
Received: from PACDCEX21.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by vaadcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 53.96.14152.C01AEDD5; Wed, 27 Nov 2019 11:15:08 -0500 (EST)
Received: from PACDCEX54.cable.comcast.com (24.40.2.153) by PACDCEX21.cable.comcast.com (24.40.1.144) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 27 Nov 2019 11:15:07 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX54.cable.comcast.com (24.40.2.153) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 27 Nov 2019 11:15:07 -0500
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (104.47.41.53) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 27 Nov 2019 11:14:58 -0500
Received: from BY5PR11MB4403.namprd11.prod.outlook.com (52.132.252.96) by BY5PR11MB4484.namprd11.prod.outlook.com (52.132.254.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Wed, 27 Nov 2019 16:14:57 +0000
Received: from BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a]) by BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a%7]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 16:14:57 +0000
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Neil Cook <neil.cook@noware.co.uk>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpS733D88/9k8tEiKz75oDQXCuqefGvQA///CegA=
Date: Wed, 27 Nov 2019 16:14:56 +0000
Message-ID: <AA123AB1-256B-4EB9-976F-186FDB7592D8@cable.comcast.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <20191127142842.GA18601@nic.fr> <04A83ADF-C347-49C2-AB8D-D6D905C179A7@noware.co.uk>
In-Reply-To: <04A83ADF-C347-49C2-AB8D-D6D905C179A7@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [71.225.154.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c1b13a2a-c3ad-40f0-1477-08d77354f20b
x-ms-traffictypediagnostic: BY5PR11MB4484:
x-microsoft-antispam-prvs: <BY5PR11MB4484072629F4A222AB4C1A42C7440@BY5PR11MB4484.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(136003)(396003)(376002)(39860400002)(199004)(189003)(86362001)(58126008)(26005)(186003)(3846002)(6116002)(478600001)(446003)(11346002)(2616005)(7736002)(316002)(33656002)(305945005)(66446008)(53546011)(64756008)(8936002)(76176011)(102836004)(99286004)(110136005)(14454004)(6506007)(76116006)(66556008)(66476007)(66946007)(54906003)(5660300002)(14444005)(256004)(6512007)(4326008)(6246003)(8676002)(25786009)(66574012)(71200400001)(71190400001)(66066001)(81166006)(81156014)(6436002)(6486002)(229853002)(2906002)(91956017)(80792005); DIR:OUT; SFP:1102; SCL:1; SRVR:BY5PR11MB4484; H:BY5PR11MB4403.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cable.comcast.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2LMf4H5JNSHsr9PIVxbzVyNuuU9tLn3lzKDkc4knNGEje84ujFHoUhVX3qpxIkKHKhBHxfbBHOtKmAmp/VaN8B9wooHl7WTOc59uD9J6Lut0ohQkdHsGLgou4r8JH069ac2tG4zTR6RXAlCWWS85EJMkVi9bXlllITUnd3qRCrgh7DmNuNa7Nez0ZWB5C8oZTfe0OnowuehXWFIFIr45LVrsoonDA+uqdhQIY4s+MTehgjeE4LmWFDVP3btwGI2gEkMLEyYPn3IoovS5Xhcrt5fbiwmAecm754i7yBAP/UMbCD3S7/iJaQIcOFi8aEPwuyXslYOzhu4bNGkHI5JRAeRM/rVAPIxyylwkp3hcG4L6cGgXMNa4CteWzbNnYXKvblEQQQF/TP1Yp9Sr1NQhg0EivthUalU//pF/7UcRg9sY/x1C+bU6qba1URTtIyX8
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lFelG8uuP/6bC7Zwx+W4wm15z5Zs7vC0I+t8yk635xnw0plg1uCFdNE6SYGUt3sMy0i0lJbHRGNgmA/vPPNrNJauE0ePd+ccnm+wYPPkkXUTwSVAjY7eEYdGc/BlGcXZBhNdB6Rw+yqMTPmCmDEcw9BXhYbe+6+A0xZpV0SqisHnR7krgbIGeoMPtCHil1vNWqMTcLBoFIoC93QRK1T4/LsXERXCsnpTTX1XktV/xQQ7wYUo80RgAN1N3uQ3lqkfDzxtQjEbefRetN2V4V5v+2jA+1h8dxtGAyegd8b74/anp0/Lo0ynmdOaT2Say9wl525Ga0yNr/5APcDRvZ6MEw==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O3xZIr/2/i5lnA9wCUamitzUuLyuqQYv0usSv/GJ0Ws=; b=oOw/9C5SS1fjRGorgaGH5BgWGTlaGt/rEWIPVn/DjL2wY+T0kOIvTAngpu7oaZ0zCpwFnAZcymuC9k9YoY5MK7ydFy02AcMfqlH9/NpEv7GKSWvG9sRZdaxMjhavfOtwfmfxjXslMbmwOoyDWSVbzEs2940SJutJ5ICPXxzEtKDhWnUj5m1MCka3Tf49l4QinElYpaUC5uiHCGaRf9oOkxe0Q+sDcaTG6aHbjKyXVyzldHjNeCvGDDVX8ljI0QqQCFqrwkTNo/lhepj97oGEAZECXVMi6pAJO1sdaijInzB5lCWBLxmmmcxrP5kXtkA6vpxOqTEgtBVtcFRY9kFabg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cable.comcast.com; dmarc=pass action=none header.from=cable.comcast.com; dkim=pass header.d=cable.comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O3xZIr/2/i5lnA9wCUamitzUuLyuqQYv0usSv/GJ0Ws=; b=Op2V6QFbWHv3uCisW5VBsq9PhGgLqmG49fvVcAAuwfgexenAqm96F0kZDK8bcqmf37O6SG1igJIfJ+2ANyANKCsug8QWFnhtvRQWka42I/wAa9uE/9buycKQILo2rll+dNkZtK3O96jFzHya8/f04wZH2gMqWft05lS51ATwXSo=
x-ms-exchange-crosstenant-network-message-id: c1b13a2a-c3ad-40f0-1477-08d77354f20b
x-ms-exchange-crosstenant-originalarrivaltime: 27 Nov 2019 16:14:56.9294 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: HPy59ENYGDvuTXTXX/un4gJVEzTKXqOQaXXNSm0+csRE1w6XzyOFEBq1ctAxKksVV5gP8y5C937OlICaDPUSHaTda5BMi6WAlmikteko7wA=
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR11MB4484
x-originatororg: cable.comcast.com
Content-Type: text/plain; charset="utf-8"
Content-ID: <09584B9BE56C324181B7BF07D7CA3CD8@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA22Se0hTURzHPffubldxcZqZP5ZFDswymilmS6QXGlfInhQVrLzhMR/L7G49 Fv1h9DBnkYaEzbctEk03poJJkdPKWpiWWZBl1FZh0QMfPQwqt7sgyPPX5/y+39/3/M7hsLSi VKpkM3MMRMjhdSppgCRVn6xZFFgzpF38ti5IU1QzjDS2k22Mxnputab4SxnS/HT0SlcyXF/D OMVZLD8o7njzKwlX/MtGcU3jrdQGZkceSjBkCIQ3JJJ0kqMnywPm/rcSdpP0fQJJ4gWdcRPR EX5qm8eZRnSZB4kQNWVM1JQ5qSYq42VRuSzXFnS4vCIsD31RmJA/CzgWJh6OSU0ogFVgBwVf nf2MR1DgdgSfznCiMICgp7lMJgq3ERSc5UWhhIJ3rqeMuHmNwN1u9bZLcRy8qHlMe3gG3gi3 LK1eE42vIBgttnmjgjAHd4vrKdGUDMcePJochJ3keHj986inLMHhUNlT5bXIcSK4mhol4hSX KXh/Xelhf7wSugcHvGchPBO+Oa96/TQOgWdusRcwBsv1XlrkYBh2/fLOGYyj4LnphkzsTYNL plqfPwye1PchkWfDo6pCH6fAm/5CmciRMFpwypeZDXZrj68+DwZGbktEDoX88QKfZ4iB/EGD 54oKnAUfB5YXoSXmfyY1Tyo0XgDW9iixzEFtjVkqchiUFL6Smb0PMR3uXXRLqhFTjwKXxamj o2PVMRr10jg78vxXIXRtGxq5wHUizCJVoPxo+ZBWwfAH9ca9nQhYWjVDvrDruVYhT+ONR4iw b5dwQEf0nWgWK1GFyP0aq7UKvIc3kGxCconwV6VYf2Ue6naeXy+1Tzi37X+cVJJVVzZS6qj8 4Kf0C+uNtcWUKu1quqXKvBU6Itzrgjp+MJ8zdl7D0ysc+afd2/PXMBENE7/jV6dUW7O/BzhH tlgvnbqjX2Ek00LnD6Z9MtxPaHdZbm5OlY3KxtT2Q+yqlhNjxlFnV2J4XXfMmcrIO2uNc1QS fQYfHUkLev4PrqOzWKsDAAA=
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-27_04:2019-11-27,2019-11-27 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/V3LHbKdnj4vvhI0E-g678OchprU>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 16:15:32 -0000

On 11/27/19, 9:55 AM, "dns-privacy on behalf of Neil Cook" <dns-privacy-bounces@ietf.org on behalf of neil.cook@noware.co.uk> wrote:
>> If you use DoH/DoT, it is because you don't trust the access network.
>It says nothing about whether you trust the access network.

[JL] I agree with Neil. IMO the use of encrypted DNS is orthogonal to whether or not you trust your access network. For example, in the case of a user being concerned over the privacy of their queries to a public DNS that is a few hops off their ISP/enterprise/EDU/GOV network there are many networks that may or may not be trusted or even known by the end user. So suggesting that encryption of DNS is solely because of access network issues does not make sense - there are many reasons and many potential threats and risks where encryption may help that have nothing to do with that.

>> Relying on it to
>> indicate a DoH/DoT resolver is pointless.

> You’re conflating the lack of trust in the access network with discovery. Yes, if you don’t trust the access network then you may not want to use a discovery protocol to indicate the best way to contact the resolver over DoT/DoH.

[JL] Today we have nothing but manually crafted whitelists, etc. So anything automated will be better IMO. A discovery mechanism just provides info though - it does not mandate trust or a particular OS or app/client decision. So a browser in one example can take the info from DHCP or similar automated discovery mechanism and take it as a useful bit of data or choose to ignore it, based on app or user decision. It would seem our job is to specify potential discovery mechanisms - each of which will come with pros/cons/risks (and none being perfect) for various use cases - and let the client/app or user decide what to do with that.