[dns-privacy] It's DNS Jim....
"Ralf Weber" <dns@fl1ger.de> Thu, 20 December 2018 09:20 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED33013110E for <dns-privacy@ietfa.amsl.com>; Thu, 20 Dec 2018 01:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-T_IwDk1eRh for <dns-privacy@ietfa.amsl.com>; Thu, 20 Dec 2018 01:20:34 -0800 (PST)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id D0C2D130DF1 for <dns-privacy@ietf.org>; Thu, 20 Dec 2018 01:20:32 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id E385C5F4046F; Thu, 20 Dec 2018 10:20:30 +0100 (CET)
Received: from [192.168.2.138] (p4FF539F4.dip0.t-ipconnect.de [79.245.57.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 35A7C5F40260 for <dns-privacy@ietf.org>; Thu, 20 Dec 2018 10:20:30 +0100 (CET)
From: Ralf Weber <dns@fl1ger.de>
To: dns-privacy@ietf.org
Date: Thu, 20 Dec 2018 10:20:28 +0100
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <3B8D8372-7931-4CCE-A6CE-A8E3C12C4D5D@fl1ger.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XDNRj-OtH39NLJTJHPVz2z8KMzI>
Subject: [dns-privacy] It's DNS Jim....
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 09:20:36 -0000
Moin! I apologise to Sara for stealing the tagline from her excellent article at RIPE ( https://labs.ripe.net/Members/sara_dickinson/doh-its-dns-jim-but-not-as-we-know-it ), but the one point I seem to miss on the requirements list is that we want a DNS solution. Now there are a lot of reasons why DNS is successful, but there are two both architectural and operational that I want to point out here and that IMHO are important: - Delegation of authority - Caching both are simple and effective which is why there semantics where kept when going from DNS to DNSSEC and I see no reason not to keep these semantics for going to encrypted DNS. I call it encrypted DNS and not DNS privacy as this is what we can do as DNS community, some of the privacy ideas on the interim or mailing list (timing deltas for queries, different outgoing behaviours depending on different inbound channels) are stuff that doesn’t take into how large scale DNS works these days. The biggest risk to privacy today are IMHO in HTTP land (ads, cookies) and not in the unencrypted connection between recursive and authoritaitve DNS servers. I’m not saying that we should not encrypt these sessions, but highly loaded server where the user can hide between hundreds of thousand other users is sufficiently private. Now not everyone can run or use those highly loaded servers and thus we are working on encrypting this traffic, but if you want 100% privacy you have to do a lot more on other lower levels (aka Tor) and we should not try to solve all the privacy problems here. A normal recursive resolver that usually handles 10s or 100s of thousands of request per second only can do so because it is getting most of the answers out of caches. For most providers these days the cache hit rates are above 90% meaning only every 10th packet he has to go out and look up something. As most queries require more than one outgoing query to answer it cold (and sometimes even hot) these number in real life is even higher, and answers from cache are fast as there is no waiting for a reply packet, which is why a lot of modern resolvers pre fetch popular content when it’s about to expire, which again is a great privacy feature as the actual incoming ask can never relate to an outgoing query for popular domain other then when the server is started. So going to 2 different caches for dns privacy or disabling caches seems like a no starter for me. Also as answering from cache and recursing is different and often lives in independent threats, so far that it not always possible to digest what caused a outgoing query (as the recursive/iterative process causes lots of recursions). Also being different code paths usually enhancements to the recursive part are given to all users and not just a portion of users. That is true for DNSSEC (if you turn it on all users gain validation) and should be also true for encrypted DNS. Now onto delegation, we have a clear way of delegating information down the tree to a different entity. All the information needed is handed down from the parent (NS and Glue for DNS plus DS for DNSSEC). This seems to be the natural place to put information about enrypted DNS (maybe TNS, Glue and TDS or something for keys), and while I worked with software that encoded key material in name server names I don’t think it will fly as people want to name their name servers. So these are my two cents (and only my personal views) to the discussion as I missed the interim meeting. So long -Ralf ——- Ralf Weber
- [dns-privacy] It's DNS Jim.... Ralf Weber
- Re: [dns-privacy] It's DNS Jim.... manu tman