Re: [dns-privacy] Operating System API support for DNS security policy

Mark Andrews <marka@isc.org> Wed, 21 August 2019 03:48 UTC

Return-Path: <marka@isc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C76120088 for <dns-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 20:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UppdcU7xSTkV for <dns-privacy@ietfa.amsl.com>; Tue, 20 Aug 2019 20:48:48 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C749B12007A for <dns-privacy@ietf.org>; Tue, 20 Aug 2019 20:48:48 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D529F3AB006; Wed, 21 Aug 2019 03:48:46 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B7480160048; Wed, 21 Aug 2019 03:48:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A0B25160052; Wed, 21 Aug 2019 03:48:46 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id tvxKAnoT4Bmw; Wed, 21 Aug 2019 03:48:46 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id E6E31160048; Wed, 21 Aug 2019 03:48:45 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAChr6Szutd5Z=Ern4qaGuGq+jMm3_xG57TKLfjkA-7FXWk5qWA@mail.gmail.com>
Date: Wed, 21 Aug 2019 13:48:43 +1000
Cc: dns-privacy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3112C3A8-C034-4975-A7E8-29EAD9C1478E@isc.org>
References: <CAChr6Szutd5Z=Ern4qaGuGq+jMm3_xG57TKLfjkA-7FXWk5qWA@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/d_w0EZQdZrJweIlIZWYhfl5MagM>
Subject: Re: [dns-privacy] Operating System API support for DNS security policy
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 03:48:51 -0000

It was defined by the IETF and taken up by POSIX.  It’s designed to be extensible.

There is absolutely nothing preventing extensions which pass in trust anchors or
requiring that answers validate as secure.  Just use your imagination.

e.g. add trust anchors to hints.

Mark

> On 21 Aug 2019, at 12:34 pm, Rob Sayre <sayrer@gmail.com> wrote:
> 
> > Would the following be a fair summary of the discussion?
> > 1) There is some support for the idea it would be useful for APIs to allow
> > an application to at least know, and perhaps influence, what DNS security
> > features will be used if it makes a DNS request via the operating system.
> > 2) The getaddrinfo() API in RFC3493 doesn't provide this capability.
> 
> Isn't the getaddrinfo() API defined by POSIX?
> 
> <https://pubs.opengroup.org/onlinepubs/9699919799/functions/getaddrinfo.html>
> 
> "The Open Group Base Specifications Issue 7, 2018 edition
> IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008)
> Copyright © 2001-2018 IEEE and The Open Group"
> 
> thanks,
> Rob
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org