[dns-privacy] Trying to understand DNS resolver 'discovery'
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 26 November 2019 17:35 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F107B12110F for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 09:35:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.159
X-Spam-Level:
X-Spam-Status: No, score=-0.159 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.244, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seHLcWrUUsxm for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 09:35:26 -0800 (PST)
Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E3EF1210EA for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 09:35:25 -0800 (PST)
Received: by mail-ot1-f53.google.com with SMTP id 66so10496648otd.9 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 09:35:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2qFFmr2Uz89t0mRtB8IBhUryUNsej7fA0km3DDM1lnw=; b=A2STYO6j4LNe7BjnPRKbmQKRVCFkfrxJRiK7vBdIh96Oh6o1yanrw7xUBA0n9aEMw8 hm62eaO6yAiz4CG9JLDO1VRm/vUGGNeveMCSHB+mFQP/idLVHfK70UshPkISdj85+bjn qYvQvCYcXTbbp0KdAd2kInPz2yInmmc/sa13Xrei+7n/EbcY5Prt+Uo964fLLBMgo1dg FfJIjO+u1YOpu/cahFQj1ahAKc6nDzzC96ShTu/Dtf3fueh6Nng2t8Z5nxg1PPsA8zBE NYEFQeZCklbtt9h1sWmV90UJFU3al/j6/AblwjWYAUS+SmQIjTo18ySEqsbcsRGufs4p ONxw==
X-Gm-Message-State: APjAAAXapakrwcKn8VWUd5C7i8OgzrOd432q4TkKa+qasGhchaz/BF02 E9/WTFNb5+aqpEpjxGgHQjzdAX8BzgzH/dz2p2jC4DTO2k4=
X-Google-Smtp-Source: APXvYqwtsr9umUGM626OoFTFJALFLpOH4IaSRwcS500jSXjpUDx6e1GQ4b8+c898nM+2+OxcmqBsULj+gjuxio1cTiQ=
X-Received: by 2002:a05:6830:1152:: with SMTP id x18mr116689otq.87.1574789724045; Tue, 26 Nov 2019 09:35:24 -0800 (PST)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 26 Nov 2019 12:35:13 -0500
Message-ID: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com>
To: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001909f90598434eab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_AFm6d2Etr9mHwm2ltNxoAPlVW0>
Subject: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 17:35:28 -0000
This notion of DNS resolver discovery seems very strange to me. There are three ways in which a DNS resolver can be realistically determined by a client whether that is in the platform (Windows/OSX/Linux/etc) or the application. 1) Promiscuous DNS The client obtains the information to connect to a resolver either as part of DHCP configuration or by further interrogation of the local network. 2) Admin/User Configured DNS The client obtains the information to connect to a resolver through an Administrator or User configuration action. This may be inserting an IP address (8.8.8.8/1.1.1.1/etc) or some form of DNS label. 3) Application/Platform Provider Configuration. The application or OS platform can simply ignore user preferences and choose a DNS provider of its own liking. This is not an exhaustive enumeration of the possibilities of course. But please, assure me that we are not the brink of users being faced with pop ups asking them 'would you like to choose me as your DNS provider'. Of these three models, I have always considered (1) to be a security hole. It made some sense in the days when the smallest machine connected to the Internet was the size of a washing machine and portable computers didn't exist. But not today. [As a pragmatic matter, it will continue to be necessary for devices to use the local network DNS resolver for the purpose of connecting to WiFi in kiosk type environments. ] We might well see the third model being imposed by government decree in some places. Along with the DNSSEC root key to be used for validation. Yes, there are situations where split DNS has to be considered so that the device knows that when it is on the employer network it behaves differently. But I see those as being a subset of VPN config. If Alice works for example.com, then she can install a signed config file stating which DNS resolvers and IPSEC (or other VPN) parameters to use on which networks for which sets of DNS addresses. So what I see is a requirement for DNS resolver configuration. We already have rfc6763 to tell us how to get from a DNS label to an Internet service. Albeit one that presupposes the existence of a resolution mechanism. I don't see it being problematic to use the local DNS to do this resolution provided that 1) we have the means to authenticate the connection and 2) we only use this mechanism once, to perform initial configuration. DNS resolution service providers do need to change their IP configs from time to time of course. But there is an expectation that the resolver IP is stable over very long periods of time. Moving to DNS names for resolvers does not free us from this expectation in this case. In my view, choice of a DNS resolver should be an event backed by ceremony so while I think we can and should insist on DNSSEC authentication for the resolver[1], there is certainly a potential role for a WebPKI certificate to establish accountability (i.e. EV). There is also a potential role for use of rfc3709 (logotypes) to provide a strong security signal during a one-time configuration operation. [1] Even if the local resolver does not support DNSSEC or insists on the use of an untrusted root, the DPRIV service being connected to can provide this information as part of the initial handshake.
- [dns-privacy] Trying to understand DNS resolver '… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Andrew Campling
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Kenji Baheux
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Vittorio Bertola
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Phillip Hallam-Baker