Re: [dns-privacy] Operating System API support for DNS security policy

Erik Kline <ek@loon.com> Tue, 20 August 2019 17:26 UTC

Return-Path: <ek@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23575120931 for <dns-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 10:26:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twryZnXygGvv for <dns-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 10:26:20 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CC5612018D for <dns-privacy@ietf.org>; Tue, 20 Aug 2019 10:26:20 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id g17so13250941wrr.5 for <dns-privacy@ietf.org>; Tue, 20 Aug 2019 10:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=Ov/N8Ah00ziGLeU+RW4m2aTjk08xJALP9xrEXWIlYpk=; b=A5/3GY6y2EKt4N6+q4Jw3Oow+ypJnbnF5fypwR9gLBfI1224tLPW13rFnFbEX6K7qu kwinYb6Qb+EX23d2hF+ICb1MiXwysmbqBLvnBdQ3DC8iGxwioneIyAwipLsDYVc56v18 0hYH5Yau+s4LcC5iO72R+eXtOA7EcVSAh3vVs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=Ov/N8Ah00ziGLeU+RW4m2aTjk08xJALP9xrEXWIlYpk=; b=Ytal2FM24tl7vvaLvjI9iAzkgWk+ogWBrHNasMP7nQU0MKWbfgabHv+A0rnhr21D3C xrL704VyieND+KBys/0EXCFJmVrv9FWVifmFgAX/VzF5ZuVmHs4qKspLULuPClv5UOlf gnDPTVjVFv0ryeHf7Bn5/zEI1v7JgCMmmQyl41R4mpDVQ/hb4YrzV38c9NwuEOj7HEBP Zhq3D4eGF+9M7SPcq/ak+CDdJdF2Z/hMs3u6WGaKcdkYp8XSMSflDmokLVRqorn2BIBc jIG+HLTohRkljikucHaXhxqRQk4L47S3/y1Y3iGPTxVlQDsoXuTN0sY8elIQYAUg2EOw Ks0w==
X-Gm-Message-State: APjAAAXbl0iuuYS70nx8RjxHEeNlV7pltFMch0dEIzTsQwHXAage1iKQ 6iNFziZUC4lwPxGMwFzWjrE3qyfrTA+ZUoIoK6aXaw==
X-Google-Smtp-Source: APXvYqwsvnM9cdVDMwoV+NHqCoO3f8BO5rUPI8uyn3+JPFXaMLDKgs8i5Hek9tixP4Qo5WPo5xH1QmXAgA7r1+2r+QA=
X-Received: by 2002:a5d:4b8b:: with SMTP id b11mr36692158wrt.294.1566321978414; Tue, 20 Aug 2019 10:26:18 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR10MB4046A5FC33FDE3192C93AA95B0A80@MN2PR10MB4046.namprd10.prod.outlook.com> <CY1PR00MB0074C6229B0418BDC1AEC45DFAA80@CY1PR00MB0074.namprd00.prod.outlook.com> <CA+nkc8Bk_AdP4w9m1wo8L+u98=ip7jrw13U-QdkF_GMhfYXKAA@mail.gmail.com> <ijd4mi.pwhxb9.31eoyz-qmf@mercury.scss.tcd.ie> <MN2PR10MB404640ABB9D1EFF1530880DEB0AB0@MN2PR10MB4046.namprd10.prod.outlook.com>
In-Reply-To: <MN2PR10MB404640ABB9D1EFF1530880DEB0AB0@MN2PR10MB4046.namprd10.prod.outlook.com>
Reply-To: ek@loon.com
From: Erik Kline <ek@loon.com>
Date: Tue, 20 Aug 2019 10:26:06 -0700
Message-ID: <CAAedzxpP4M5e=wceQtp4bGUVGQTktEjyeUqtNNt31XYxsR_NfQ@mail.gmail.com>
To: Iain Sharp <isharp@atis.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000210e9405908fc10c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ciRxeTZ_p_QRNSjNmWc3YaFA2pQ>
Subject: Re: [dns-privacy] Operating System API support for DNS security policy
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 17:26:23 -0000

On Tue, 20 Aug 2019 at 03:13, Iain Sharp <isharp@atis.org>; wrote:

> Thanks for the informative replies.
>
> The use cases I was thinking of are similar to those outlined by Bob and
> Stephen. Hypothetically, there might also be scenarios where the
> application wishes the DNS to be done without security (e.g. for debugging)
> though I don't know in practice how important these are.
>
> The getdns API is quite similar to what I had in mind. In getdns you can
> specify the transports you want from UDP, TCP and TLS. Possibly other
> levers may be needed for things like ESNI.
>
> Would the following be a fair summary of the discussion?
> 1) There is some support for the idea it would be useful for APIs to allow
> an application to at least know, and perhaps influence, what DNS security
> features will be used if it makes a DNS request via the operating system.
> 2) The getaddrinfo() API in RFC3493 doesn't provide this capability.
> 3) As far as we are aware there is no work in IETF currently on how to
> express security policy in DNS APIs, but the getdns API seems to have
> similar goals to point 1.
>

Re (3), I haven't been following taps work closely, but it seems like the
kind of thing they might have spent some cycles on.


> Regards
>
> Iain
>
>
>
> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org>; On Behalf Of
> stephen.farrell@cs.tcd.ie
> Sent: 19 August 2019 19:14
> To: rharolde@umich.edu
> Cc: Iain Sharp <isharp@atis.org>;; dns-privacy@ietf.org; Jensen.Thomas=
> 40microsoft.com@dmarc.ietf.org
> Subject: Re: [dns-privacy] Operating System API support for DNS security
> policy
>
>
>
> On Monday, 19 August 2019, Bob Harold wrote:
> > On Mon, Aug 19, 2019 at 1:29 PM Tommy Jensen <Jensen.Thomas=
> > 40microsoft.com@dmarc.ietf.org>; wrote:
> >
> > > Hey Iain,
> > >
> > > Iain> Many applications rely on operating system APIs to access DNS
> > > services. As native support of DNS over TLS rolls out in to
> > > operating systems it seems likely that some applications will wish
> > > to control the security policy that the operating system applies
> > > when it performs DNS resolution. For example, the application may
> > > wish to require that the operating system uses an encrypted DNS
> protocol.
> > >
> > > I actually don't see this being necessary. Walking through the
> > > possibilities:
> > >
> > >    - If the OS supports DoT and the configured servers support it:
> > >       - OS should be using DoT whether the app requests it or not
> > >    - If the OS supports DoT but the servers don't:
> > >       - App intent isn't helpful (to the same server)
> > >    - If the OS doesn't support it:
> > >       - App intent isn't helpful
> > >
> > > I read this differently - the api needs to tell the app whether the
> > > OS
> > does encrypted DNS:
> >
> >    - OS supports DoT and can connect to a DoT resolver
> >       - App uses OS for DNS
> >    - OS does not support DoT
> >       - App connects to a DoT server itself, bypassing the OS  (even
> though
> >       I dislike this, unless the user has agreed)
> >    - OS supports DoT but cannot reach a DoT server
> >       - various choices, we don't need to discuss this now.
> >
>
> +1, there's also the case of TLS ESNI where the application wants to only
> do the lookup if DNS privacy will be used. Different applications may
> choose different  fallbacks if DNS privacy is  not available from the OS.
>
> Cheers,
> S.
>
>
> > --
> > Bob Harold
> >
> >
> > >
> > >
> > > My view is that the OS should be taking the most secure DNS route it
> > > has available regardless of app request (after all, think of all the
> > > apps which won't request DoT but should). In the case where the OS
> > > supports DoT but isn't using it, that decision is being made in the
> > > context of other information, such as enterprise configuration, that
> the app may not have.
> > >
> > > Iain> Unless operating systems support secure DNS standards and
> > > Iain> expose
> > > APIs to allow applications to use them effectively then applications
> > > that require secure DNS have little choice other than to roll their
> > > own implementations.
> > >
> > > I totally agree. Platforms should be providing the network tools
> > > apps need so all apps can benefit similarly, rather than leaving
> > > apps to figure out networking nuance on their own. I just think in
> > > this case that there should never have to be a situation where an
> > > app needs to request DNS encryption (because either it's already
> > > happening or it can't happen for some reason unknown to the app).
> > >
> > > Summary: I think such an API should be unnecessary on well-behaved
> > > platforms.
> > >
> > > Thanks,
> > > Tommy
> > > ------------------------------
> > > *From:* dns-privacy <dns-privacy-bounces@ietf.org>; on behalf of Iain
> > > Sharp <isharp@atis.org>;
> > > *Sent:* Monday, August 19, 2019 2:56 AM
> > > *To:* dns-privacy@ietf.org <dns-privacy@ietf.org>;
> > > *Subject:* [dns-privacy] Operating System API support for DNS
> > > security policy
> > >
> > >
> > > All,
> > >
> > >
> > >
> > > DNS over TLS offers the ability to perform DNS queries over a TLS
> > > secured channel. In my understanding, DNS over TLS is not yet
> > > available in all operating systems, but operating system support
> > > could become common in future.
> > >
> > >
> > >
> > > Many applications rely on operating system APIs to access DNS
> > > services. As native support of DNS over TLS rolls out in to
> > > operating systems it seems likely that some applications will wish
> > > to control the security policy that the operating system applies
> > > when it performs DNS resolution. For example, the application may
> > > wish to require that the operating system uses an encrypted DNS
> protocol.
> > >
> > >
> > >
> > > Today, most operating systems use the getaddrinfo() function
> > > described in
> > > RFC3493 as the basis of their API for translating DNS names to IP
> > > addresses, but this does not have security policy attributes.. Is
> > > anyone aware of any activity to enhance the RFC3493 work to add
> > > application control of security policy to the getaddrinfo()
> capabilities?
> > >
> > >
> > >
> > > Unless operating systems support secure DNS standards and expose
> > > APIs to allow applications to use them effectively then applications
> > > that require secure DNS have little choice other than to roll their
> own implementations.
> > >
> > >
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > > Iain
> > >
> >
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>