Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 27 November 2019 14:28 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21915120915 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSCiTIJScpbL for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:28:44 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 028661200F9 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:28:44 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 7AFC7280601; Wed, 27 Nov 2019 15:28:42 +0100 (CET)
Received: by mx4.nic.fr (Postfix, from userid 500) id 746E928071C; Wed, 27 Nov 2019 15:28:42 +0100 (CET)
Received: from relay01.prive.nic.fr (unknown [10.1.50.11]) by mx4.nic.fr (Postfix) with ESMTP id 6CAF9280601; Wed, 27 Nov 2019 15:28:42 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 65CD0663E080; Wed, 27 Nov 2019 15:28:42 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 537364028D; Wed, 27 Nov 2019 15:28:42 +0100 (CET)
Date: Wed, 27 Nov 2019 15:28:42 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Message-ID: <20191127142842.GA18601@nic.fr>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
X-Operating-System: Debian GNU/Linux 10.2
X-Kernel: Linux 4.19.0-6-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.000050, version=1.2.2
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.11.5.63017
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_EAvZZ1OVfqUpGAUX00wvzwjNnA>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:28:46 -0000
On Wed, Nov 27, 2019 at 09:07:15AM +0000, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> wrote a message of 72 lines which said: > > *All* "automatic discovery of the DoH resolver" schemes are broken > > by design and I really wonder why people keep suggesting them. > > Not all discovery mechanisms have security holes, you may want to > look into > https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05. It seems to me that this draft has exactly the same problem as every other "resolver discovery" proposal: it gives complete power to the access network to indicate the resolver to use. If you use DoH/DoT, it is because you don't trust the access network. Relying on it to indicate a DoH/DoT resolver is pointless. For instance, if your access provider has a lying resolver and you want to escape it with DoH/DoT access to an external resolver, I don't see how this draft helps you.
- [dns-privacy] Trying to understand DNS resolver '… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Brian Dickson
- Re: [dns-privacy] Trying to understand DNS resolv… Phillip Hallam-Baker
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Stephane Bortzmeyer
- Re: [dns-privacy] Trying to understand DNS resolv… Neil Cook
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Andrew Campling
- Re: [dns-privacy] Trying to understand DNS resolv… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] Trying to understand DNS resolv… Kenji Baheux
- Re: [dns-privacy] Trying to understand DNS resolv… Livingood, Jason
- Re: [dns-privacy] Trying to understand DNS resolv… Vittorio Bertola
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Trying to unders… Phillip Hallam-Baker