Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 21 August 2018 16:19 UTC

Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C479130E94 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 09:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Level:
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avBGo4hnp4Y7 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 09:19:41 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EF23130DC3 for <dnsop@ietf.org>; Tue, 21 Aug 2018 09:19:41 -0700 (PDT)
Received: from [IPv6:2001:718:1a02:1::3e0] (unknown [IPv6:2001:718:1a02:1::3e0]) by mail.nic.cz (Postfix) with ESMTPSA id DA1D4604D7; Tue, 21 Aug 2018 18:19:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1534868379; bh=Pg8u0N6j4MJG6FfbfmqUcVF6NAdXaLN4pFGQnv/0Vbs=; h=To:From:Date; b=XjtoikuohUWZhrzAuavX7Ds5KTtJA77AKClAZ8KvtPR0BDjX+3jmxNp2OVtvG8Qje uzcASKezLwxhKuhPpw9sWbExTxfkm69qnI3xqD95JzY51+Nygfsuc/D3b9NUgrodww DWlOv8kN+2qpW1s1K91Tiy1fjRMYAOVxZIaumy4g=
To: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com> <m1fs7wB-0000GtC@stereo.hq.phicoh.net> <63b113eb-9372-b622-b346-5d926f0b5d9a@nic.cz> <m1fs8g9-0000GpC@stereo.hq.phicoh.net>
Cc: dnsop@ietf.org
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABzTBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej7CwZcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3M7BTQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAcLBZQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA==
Message-ID: <20bfadaf-05bf-d564-9c90-bd1464b23328@nic.cz>
Date: Tue, 21 Aug 2018 18:19:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <m1fs8g9-0000GpC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ai2f4oOnz_AWG-iR8lEwqPJ75gI>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 16:19:45 -0000

Ehm, we somehow forgot that this thread is supposed to be about DHCP, so
that's only the "uninteresting" case where you do trust the ISP and want
to use their DNS over a secure channel :-D

On 08/21/2018 05:34 PM, Philip Homburg wrote:
>> Then you have a problem that's not solvable in DNS itself (yet).  That's
>> what people usually forget to consider.
>> [...]
> This is too some extent a chicken and egg problem. Without encrypted DNS 
> there is no point in encrypted SNI and vice versa.

Yes, partially.

> I expect that encrypted SNI will be relatively easy to deploy. It can happen
> as soon as both endpoints support it.
>
> In contrast, DNS is a very complex eco system. So it makes sense to start
> deploying encrypted DNS now, under the assumption that encrypted SNI will
> follow.

Well, DoT has been standardized for some time, and we now have multiple
open-source implementations for client- and daemon-side, and some large
public services support it.  DoH is a little later, but it might gather
more speed eventually.  From *my* point of view the SNI is the biggest
hindrance ATM; other technical issues don't seem bad, at least not for
most motivated users.  (Finding a trusted service might be problem for
some people, I suspect.)

>> After SNI encryption gets widely deployed, tracking through IP addresses
>> only will be somewhat harder, so there it will start getting
>> interesting.
> We have seen already that 'domain fronting' is can be a very effective way
> to bypass filters. For large CDNs or cloud providers, filtering based on 
> IP addresses is not going to be effective.

Centralizing most of the traffic to a few CDN providers would solve
that, but somehow I don't think privacy should depend on that.  And I
don't think it's so easy to significantly reduce the information leak -
you just *move* it to somewhere else (someone else), and it's not really
clear to me in general who is more trustworthy.  Still, such
possibilities certainly are nice to have.

>> Until then, IMHO you just need to either trust the ISP or
>> tunnel *all* traffic to somewhere, e.g. via tor or VPN to some trusted
>> party.
> True. But we can take small steps to reduce unwanted interference from ISPs.
>
> From a security point of view, it helps a lot if you can just trust DNS.
> Instead of always having to take into account that somebody may interfere 
> with DNS replies.

Defense against changing DNS is something else than privacy - we have
DNSSEC for that, so you don't even need to trust the server sending you
the data, but I think we're getting too much off-topic anyway...