IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 14:24 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A905A120948 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:24:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VjNq9abyY8v for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:24:26 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5805120915 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:24:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574864664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jhWJyQYYLuwqBtYcQ2k6Jduzh1wBjf3kPsAAuc0NEnU=; b=gCC1tvXya51D7YTyP5EYqJe+BZPpFx5J2qWQ1xPzZszDAJEM/Mov5SuoAqx4IAoXME+ot+ lZWZuwOPWO4nY9V60H2fmbB5M6AYtexUydCzioQSHoaGzFbVuncFN2rpjj/SnD+iygHtbE 25tRaTrNxXruX2Q6QYWRqvd53PsXi/o=
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2053.outbound.protection.outlook.com [104.47.36.53]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-347-iKjEfIhmMya1HwTQEPrHPw-1; Wed, 27 Nov 2019 09:24:23 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1270.namprd16.prod.outlook.com (10.172.116.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Wed, 27 Nov 2019 14:24:21 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 14:24:21 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Neil Cook <neil.cook@noware.co.uk>
CC: Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qeewgOAgABMEqCAAAO5AIAAAZYQ
Date: Wed, 27 Nov 2019 14:24:21 +0000
Message-ID: <CY4PR1601MB12541D25C89B5F3FDD45F83FEA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <88D54B12-AFAB-4931-A663-775824C46C38@noware.co.uk> <CY4PR1601MB12548C14E99A2690FC944F52EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <1DB5F0E0-C5AA-4639-9117-1B9D03543520@noware.co.uk>
In-Reply-To: <1DB5F0E0-C5AA-4639-9117-1B9D03543520@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb182c44-0621-4d7a-cf83-08d773457ee9
x-ms-traffictypediagnostic: CY4PR1601MB1270:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR1601MB12708F4F768FE850C8276A05EA440@CY4PR1601MB1270.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(366004)(136003)(376002)(396003)(13464003)(32952001)(189003)(199004)(186003)(54906003)(26005)(316002)(966005)(81166006)(6916009)(14454004)(9686003)(76176011)(6506007)(53546011)(81156014)(3846002)(6116002)(102836004)(11346002)(6306002)(99286004)(446003)(7696005)(66066001)(8936002)(86362001)(8676002)(14444005)(229853002)(5024004)(256004)(55016002)(71200400001)(80792005)(478600001)(6436002)(5660300002)(52536014)(25786009)(561944003)(33656002)(7736002)(66446008)(66476007)(305945005)(64756008)(66556008)(66946007)(76116006)(74316002)(4326008)(2906002)(66574012)(6246003)(71190400001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1270; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PV2a1HonkUyUlIJUIf0y5XrZetE07V8uYmsp68BuEdYa3sPIcTFg0a4XeJrdYDaWqYuxCMRN+jGcth34MZDzBKa0+grpTeG7k+UVCKNFIMhamXryXEOBRdEq9r+cFNW5hJhD4rD7tOn54K4UsGYHddgM11dsdYQZMljr2D+MkX32V5kegT+LVJcc7uA/9tefy2n7ExZxKSufaS17H3JVEINKPozke79qDfbHQiViXD8XjXc6q7k1c8iYkyZsdjXobTefxhdKrPPr6+78OO5RU6v0CRNq/BWK7l/30DuG3tp9wgXV1YErnPictI4FVnkMh1C+a/SEn4Dq4YWxv9pWOdLNPWHy5cH9VnE8nn88GY/Klk5T8i+02p2O1Y4MR1Pdi3uRNMtheV45+w/hfVzk+erpXqQ+BMaBMR0ZWPDn949KUgUG4Hch08PL44ZYts7rPiIcrjz+9ujqwb8wSgMg4QrHDFQQ8qTGDDwvpkGsnaNHAYlKPUgXbOdPoqp4TSsd
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb182c44-0621-4d7a-cf83-08d773457ee9
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 14:24:21.2995 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dhg3EA1dIUSmJodHzmu6E4uZz9Zbv8aEjP+x/Ad7ElaQ+uS5u2ESgPmK5NtInzNC59q0HzcyIY8uvPqHvwF1SxdABIwTaul+orpxtF5OcKCTMB4A+vIWwAJCdxTsCcQj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1270
X-MC-Unique: iKjEfIhmMya1HwTQEPrHPw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sDaUnKc58n0Asbf_jpfIQJgYYoQ>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:24:28 -0000

> -----Original Message-----
> From: Neil Cook <neil.cook@noware.co.uk>
> Sent: Wednesday, November 27, 2019 7:48 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> Cc: Phillip Hallam-Baker <phill@hallambaker.com>; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> 
> > On 27 Nov 2019, at 14:09, Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@mcafee.com> wrote:
> >>
> >>> On 26 Nov 2019, at 17:35, Phillip Hallam-Baker
> >>> <phill@hallambaker.com>
> >> wrote:
> >>>
> >>> So what I see is a requirement for DNS resolver configuration. We
> >>> already
> >> have rfc6763 to tell us how to get from a DNS label to an Internet service.
> >> Albeit one that presupposes the existence of a resolution mechanism.
> >> I don't see it being problematic to use the local DNS to do this
> >> resolution provided that 1) we have the means to authenticate the
> >> connection and 2) we only use this mechanism once, to perform initial
> configuration.
> >>>
> >>
> >> How will the connection to the local resolver be authenticated? Also,
> >> presumably this mandates the use of DNSSEC by the client?
> >
> > The client can validate the server certificate signed by a CA, and it will work
> for Enterprise deployments. However, it will be challenging for the DNS
> forwarder co-located on the home router to get the certificate signed by CA
> today but may be possible in future with ACME
> https://tools.ietf.org/html/draft-ietf-acme-ip-08 and IPv6.
> >
> 
> If the client is connecting to the local resolver in order to bootstrap finding a
> DoH server, which is what the above proposal says, then it’s talking DNS53
> and there’s no authentication. Unless the resolver and client both support
> DoT, in which case the server is still being contacted via IP address. If the
> resolver is a forwarder on an RFC1918 IP address, like many/most home
> routers, then authentication is a non-starter (I don’t see how the above draft
> helps with that).
> 
> So authentication would work in non-enterprise scenarios, assuming both
> client and resolver/forwarder support DoT, and the resolver/forwarder is not
> using an RFC1918 address.

Yup, we are in the same page.

-Tiru

> 
> > -Tiru
> >
> >>
> >> Neil
> >> _______________________________________________
> >> dns-privacy mailing list
> >> dns-privacy@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dns-privacy
> >

v2.23.0 | Report a Bug | By Email