IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

Neil Cook <neil.cook@noware.co.uk> Wed, 27 November 2019 14:17 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 766021208E1 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:17:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vGjiHZ5J9EY for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:17:32 -0800 (PST)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id D15431208DE for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:17:32 -0800 (PST)
Received: from [192.168.1.170] (unknown [81.151.217.120]) by mail.noware.co.uk (Postfix) with ESMTPSA id 62F161C6541; Wed, 27 Nov 2019 14:07:01 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Neil Cook <neil.cook@noware.co.uk>
In-Reply-To: <CY4PR1601MB12548C14E99A2690FC944F52EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
Date: Wed, 27 Nov 2019 14:17:30 +0000
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1DB5F0E0-C5AA-4639-9117-1B9D03543520@noware.co.uk>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <88D54B12-AFAB-4931-A663-775824C46C38@noware.co.uk> <CY4PR1601MB12548C14E99A2690FC944F52EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
X-Mailer: Apple Mail (2.3601.0.10)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrudeihedgieduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffgkffnvefqqffmnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqeenucffohhmrghinhepihgvthhfrdhorhhgnecukfhppeekuddrudehuddrvddujedruddvtdenucfrrghrrghmpehinhgvthepkedurdduhedurddvudejrdduvddtpdhhvghloheplgduledvrdduieekrddurddujedtngdpmhgrihhlfhhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqedprhgtphhtthhopefvihhruhhmrghlvghsfigrrhftvgguugihpgfmohhnuggrsehmtggrfhgvvgdrtghomhdprhgtphhtthhopehphhhilhhlsehhrghllhgrmhgsrghkvghrrdgtohhmpdhrtghpthhtohepughnshdqphhrihhvrggthiesihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/h5wqUhYVQPJw9qazk8RTif9uPj0>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:17:34 -0000


> On 27 Nov 2019, at 14:09, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com> wrote:
>> 
>>> On 26 Nov 2019, at 17:35, Phillip Hallam-Baker <phill@hallambaker.com>
>> wrote:
>>> 
>>> So what I see is a requirement for DNS resolver configuration. We already
>> have rfc6763 to tell us how to get from a DNS label to an Internet service.
>> Albeit one that presupposes the existence of a resolution mechanism. I don't
>> see it being problematic to use the local DNS to do this resolution provided
>> that 1) we have the means to authenticate the connection and 2) we only
>> use this mechanism once, to perform initial configuration.
>>> 
>> 
>> How will the connection to the local resolver be authenticated? Also,
>> presumably this mandates the use of DNSSEC by the client?
> 
> The client can validate the server certificate signed by a CA, and it will work for Enterprise deployments. However, it will be challenging for the DNS forwarder co-located on the home router to get the certificate signed by CA today but may be possible in future with ACME https://tools.ietf.org/html/draft-ietf-acme-ip-08 and IPv6. 
> 

If the client is connecting to the local resolver in order to bootstrap finding a DoH server, which is what the above proposal says, then it’s talking DNS53 and there’s no authentication. Unless the resolver and client both support DoT, in which case the server is still being contacted via IP address. If the resolver is a forwarder on an RFC1918 IP address, like many/most home routers, then authentication is a non-starter (I don’t see how the above draft helps with that).

So authentication would work in non-enterprise scenarios, assuming both client and resolver/forwarder support DoT, and the resolver/forwarder is not using an RFC1918 address.

> -Tiru
> 
>> 
>> Neil
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email