IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 09:07 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE98120815 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 01:07:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeCOsHn7CrnT for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 01:07:20 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB59A120071 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 01:07:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574845638; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NYDgrUdhp+1ClQwCv1tTcAxgMsNYErioKCnmfNKfsP0=; b=V4DLS9S3fOz/RL9lU/5a24IJ32DxRm6bZlbzMTms3jMxiRp1i/+m3pn3jUJcbqZQCSyW6U ujBTqKARAmRVaTh0hM6D0liJf1Zx+EdHTNzdo7CwYPpFxNYd8q73ciU0AtKSDtwwwLpnec 3DJyMSUdP+lQHThHk2kzBdc7Iy0pKBA=
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01lp2052.outbound.protection.outlook.com [104.47.33.52]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-64-rVyirEeVNpWy_HoX1JVh7Q-1; Wed, 27 Nov 2019 04:07:17 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1288.namprd16.prod.outlook.com (10.172.117.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.21; Wed, 27 Nov 2019 09:07:16 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 09:07:16 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Phillip Hallam-Baker <phill@hallambaker.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qedvvOAgAD5mmA=
Date: Wed, 27 Nov 2019 09:07:15 +0000
Message-ID: <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org>
In-Reply-To: <20191126180441.GA4452@sources.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c082300a-634e-4c2f-286c-08d7731932d1
x-ms-traffictypediagnostic: CY4PR1601MB1288:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <CY4PR1601MB12889A1DEC301B1A3D133566EA440@CY4PR1601MB1288.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(376002)(136003)(39860400002)(366004)(13464003)(32952001)(52314003)(199004)(189003)(256004)(102836004)(966005)(4326008)(316002)(53546011)(478600001)(71200400001)(71190400001)(52536014)(64756008)(66946007)(66556008)(110136005)(186003)(6436002)(26005)(6506007)(446003)(76176011)(14454004)(11346002)(3846002)(99286004)(76116006)(86362001)(74316002)(33656002)(80792005)(5660300002)(66476007)(6116002)(2906002)(66446008)(6246003)(8936002)(81166006)(81156014)(14444005)(5024004)(6306002)(55016002)(25786009)(229853002)(8676002)(7736002)(305945005)(9686003)(7696005)(66574012)(66066001)(2004002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1288; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fwIiKAX1yWkqfUjWU9wUec/WVEP4r1zsqnP11ngsWahFQJBerN0edYI19hiKweJBxm2kwQo4xT16YopJdKbhvQR7ToZ/K8M0pHba7dV2ZyK46Dm+MmwHG+PKU/uyBdW6I8v5VDToDNVPGIEBFbXvfWXQtvfrRYNvUmcYOV4iX+UGu20Ejh/hTOYGx6gBgw2BsK+V6VfxTx5x8Vr6oKX6s1z/+wqRSTRAO+iQxQmxd18x65/77gHz25NDSIPMRJ3d15udHS+r7QiGC63/UuxINHWbI4nphcFfqzHVtT5R5rZWl+KkJMjiZJHLkBWVDnyhMl/aqbgvjdqEuAQoORZAKFN07Qe5ivz1M0G1BoudqUbRarvS2oylA8AFn7mR0eJKnXqr1QkeL+WfOzcZxl/G7Rr4ituEXDOKTj1DkCyOL2GKFbe4w5L7XYpJiyiqKrmu7aLfx1a+FwxEdj2P1y2sR4r2xQV5cLNK3HNc/xEY2h8ZNuFcJu+RbpIBb4pz/7av
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c082300a-634e-4c2f-286c-08d7731932d1
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 09:07:15.9439 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3rvHEc+OiZ3Dz414qZe/sseLXK/v7sgYtre6zcQJogDPVuGd+/iBAJtcFX6JFnxY+58xzxMuDhc088Z8VpT7fU60xi9BUwrfXI3+kQSQcHH/s4fpbXJVDCB8ATU6Rt5R
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1288
X-MC-Unique: rVyirEeVNpWy_HoX1JVh7Q-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sAVYq4X7yYrMvv4eFe0vXBH2DGM>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 09:07:22 -0000

> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Stephane
> Bortzmeyer
> Sent: Tuesday, November 26, 2019 11:35 PM
> To: Phillip Hallam-Baker <phill@hallambaker.com>
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> On Tue, Nov 26, 2019 at 12:35:13PM -0500,  Phillip Hallam-Baker
> <phill@hallambaker.com> wrote  a message of 166 lines which said:
> 
> > 2) Admin/User Configured DNS
> >     The client obtains the information to connect to a resolver
> > through an Administrator or User configuration action. This may be
> > inserting an IP address (8.8.8.8/1.1.1.1/etc) or some form of DNS label.
> >
> > 3) Application/Platform Provider Configuration.
> >     The application or OS platform can simply ignore user preferences
> > and choose a DNS provider of its own liking.
> 
> Note that, for free software, there is no real difference between 2) and 3).
> Someone can always change the source and recompile. (And there is of
> course no real privacy without free software.)
> 
> > But please, assure me that we are not the brink of users being faced
> > with pop ups asking them 'would you like to choose me as your DNS
> > provider'.
> 
> Why not? But, anyway, the IETF does not do UI so it's not really our job.
> 
> > Of these three models, I have always considered (1) to be a security
> > hole.
> 
> I fully agree. *All* "automatic discovery of the DoH resolver" schemes are
> broken by design and I really wonder why people keep suggesting them.

Not all discovery mechanisms have security holes, you may want to look into https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05.  The draft discusses procedures to automatically securely bootstrap endpoints to discover and authenticate DoT/DoH servers provided by a local network.  

> 
> > So what I see is a requirement for DNS resolver configuration. We
> > already have rfc6763 to tell us how to get from a DNS label to an
> > Internet service.  Albeit one that presupposes the existence of a
> > resolution mechanism. I don't see it being problematic to use the
> > local DNS to do this resolution provided that 1) we have the means to
> > authenticate the connection and 2) we only use this mechanism once, to
> > perform initial configuration.
> 
> I agree too. A simple _doh.MYDOMAIN.example/SRV request would suffice.
> (Even better, HTTP should support SRV, but I digress...)

Yup, DNS-SD should suffice. The service portion for DoT/DoH are defined in https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05#section-6 

-Tiru

> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email