IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 14:09 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3091208D5 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:09:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAlMF6p_J992 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:09:34 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B03B012012C for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:09:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574863773; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z96HhDmv7UW4bmdu2YZsYXBARo03q8VQhSJgbRJEhPs=; b=jQMJvqi3ebGHGEUKFnP7OP2xBlEk/ZXVhB/mLxUJtRNW6KSuYdSPpGjfCkhtA6W0tbHn55 0D7kbq1cGoH4A/kIs5vRFvjBg3iBuUuwyIO4MlkrN43peiKBcffGPvkOHN+FL5uSyyXf8c PO6MRORhA31ys0bExpusbu2S/Dti6UA=
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05lp2051.outbound.protection.outlook.com [104.47.48.51]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-385-bQvqNqEZNe2jGaCgzdrXFw-1; Wed, 27 Nov 2019 09:09:32 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1352.namprd16.prod.outlook.com (10.172.117.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.21; Wed, 27 Nov 2019 14:09:29 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 14:09:29 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Neil Cook <neil.cook@noware.co.uk>, Phillip Hallam-Baker <phill@hallambaker.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qeewgOAgABMEqA=
Date: Wed, 27 Nov 2019 14:09:29 +0000
Message-ID: <CY4PR1601MB12548C14E99A2690FC944F52EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <88D54B12-AFAB-4931-A663-775824C46C38@noware.co.uk>
In-Reply-To: <88D54B12-AFAB-4931-A663-775824C46C38@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 07735b96-ca0c-4ffa-4bdb-08d773436b1c
x-ms-traffictypediagnostic: CY4PR1601MB1352:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR1601MB1352338E9C72EE309C9FA420EA440@CY4PR1601MB1352.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(32952001)(189003)(199004)(13464003)(14454004)(110136005)(446003)(186003)(99286004)(66066001)(76116006)(52536014)(7736002)(11346002)(66446008)(316002)(66946007)(53546011)(7696005)(305945005)(14444005)(74316002)(3846002)(256004)(66574012)(5024004)(64756008)(86362001)(8676002)(6506007)(33656002)(2906002)(5660300002)(6116002)(102836004)(26005)(966005)(229853002)(6306002)(9686003)(66476007)(55016002)(478600001)(76176011)(6246003)(81166006)(8936002)(81156014)(4326008)(71200400001)(71190400001)(25786009)(6436002)(80792005)(66556008)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1352; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LZF4LO97wDoxp4JmPx4M2Gg+ZcnzZvRaOsAtlO2jm2K4VWoYUAOfouL81YLV+Hjrj8K2VrRpYPHvByipJwNRGXxm+LO1Fn2X20EpTvIMDXWfi4oTILOgLea8nq5PkW5XVRR0dMr0Pqe+drHuq+CCwUjT6PVBD607aXRLNNp6SyVYnvw47Mt7vdY77zqTM/MmQrZ6Tu/2On7O2BOSJyHTx7RFVyuWzU1hY6JaNELrhdZakLgo62EFU7+Be6wusTqB0vDdkqJ4GFWZv2dR8Cet2lSJWhEnivR8YqytgObr3q2cKSRBmhpSYui7cGUOfLP0025fV7k5ZGz02hPmP7SK/HQNDdRp/bE5p354S+P2V9tVpHXDiPTWc6WS+rhvlYGM8o85ND5u8hRDZLiK/lD6Wq5lA2u7hzSJTpzwPuFk36egxDzz6olShOVeSFlhm2j2kgy2ji0VJM61Vj/4pzfHk1QuNWoMNNs8MlfKBg1ONe1U4yskNJ27f9TiRS4vSdvt
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07735b96-ca0c-4ffa-4bdb-08d773436b1c
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 14:09:29.2194 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NUc39Rpg/VP8wnopQsq4H08qaLigkdzp7LHHp+/ElJgw7bihNHvb7wa502KgBzTNgEsgwLDiFdjL4upmujZBP6AIdiMpxgrHzSJsNrqBSJ5T9wuCr20nvw7w59IOtXxo
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1352
X-MC-Unique: bQvqNqEZNe2jGaCgzdrXFw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/V6T2Mmd0fSSUuC5W3hXc_1rFGuE>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:09:37 -0000

> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Neil Cook
> Sent: Wednesday, November 27, 2019 3:02 PM
> To: Phillip Hallam-Baker <phill@hallambaker.com>
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> 
> > On 26 Nov 2019, at 17:35, Phillip Hallam-Baker <phill@hallambaker.com>
> wrote:
> >
> > So what I see is a requirement for DNS resolver configuration. We already
> have rfc6763 to tell us how to get from a DNS label to an Internet service.
> Albeit one that presupposes the existence of a resolution mechanism. I don't
> see it being problematic to use the local DNS to do this resolution provided
> that 1) we have the means to authenticate the connection and 2) we only
> use this mechanism once, to perform initial configuration.
> >
> 
> How will the connection to the local resolver be authenticated? Also,
> presumably this mandates the use of DNSSEC by the client?

The client can validate the server certificate signed by a CA, and it will work for Enterprise deployments. However, it will be challenging for the DNS forwarder co-located on the home router to get the certificate signed by CA today but may be possible in future with ACME https://tools.ietf.org/html/draft-ietf-acme-ip-08 and IPv6. 

-Tiru

> 
> Neil
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email