Re: [DNSOP] my dnse vision

Dan York <york@isoc.org> Wed, 05 March 2014 12:11 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DC571A02B9 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 04:11:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mJxnoxdnJ-h for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 04:11:22 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) by ietfa.amsl.com (Postfix) with ESMTP id C4B111A03F3 for <dnsop@ietf.org>; Wed, 5 Mar 2014 04:11:21 -0800 (PST)
Received: from BLUPR06MB243.namprd06.prod.outlook.com (10.242.191.154) by BLUPR06MB370.namprd06.prod.outlook.com (10.141.25.141) with Microsoft SMTP Server (TLS) id 15.0.888.9; Wed, 5 Mar 2014 12:11:16 +0000
Received: from BLUPR06MB243.namprd06.prod.outlook.com ([169.254.2.224]) by BLUPR06MB243.namprd06.prod.outlook.com ([169.254.2.196]) with mapi id 15.00.0888.003; Wed, 5 Mar 2014 12:11:16 +0000
From: Dan York <york@isoc.org>
To: Francis Dupont <Francis.Dupont@fdupont.fr>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] my dnse vision
Thread-Index: AQHPOGMlsTC7RM+zX0qwNlHeNwhX95rSZzyA
Date: Wed, 5 Mar 2014 12:11:16 +0000
Message-ID: <CF3CB64B.68DB9%york@isoc.org>
In-Reply-To: <201403051107.s25B7ext069332@givry.fdupont.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.101.5]
x-forefront-prvs: 01415BB535
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(199002)(189002)(479174003)(377454003)(24454002)(51704005)(77982001)(94316002)(47446002)(76796001)(76786001)(79102001)(63696002)(85852003)(53806001)(86362001)(80022001)(36756003)(85306002)(74502001)(95416001)(93516002)(31966008)(92726001)(93136001)(92566001)(77096001)(19580395003)(83072002)(19580405001)(59766001)(56816005)(90146001)(15975445006)(83322001)(94946001)(65816001)(15395725003)(47736001)(4396001)(81342001)(54316002)(87266001)(54356001)(51856001)(76482001)(69226001)(50986001)(80976001)(15202345003)(47976001)(81542001)(76176001)(74876001)(74366001)(49866001)(81686001)(74706001)(46102001)(81816001)(2656002)(95666003)(87936001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR06MB370; H:BLUPR06MB243.namprd06.prod.outlook.com; CLIP:10.255.101.5; FPR:F0C8F134.24C0E6E8.9FF0DC4.C840F969.202A4; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: isoc.org does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BD4E6EB40BA6A044B93F48C9556EBBF9@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/Exg26eGfuRmCldR3wsyaShN_wc4
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 12:11:28 -0000

Francis,


On 3/5/14 11:07 AM, "Francis Dupont" <Francis.Dupont@fdupont.fr> wrote:

>>From discussions with Stephane Bortzmeyer and Mark Andrews...
>
> First I come back to the fact there are two different problems
> (aka divide and conquer):
> * stubs <-> resolver
> * resolver <-> auth servers

Agreed.

> I consider the first one to be already solved, cf. the Microsoft
> deployed solution which puts clients, local networks, the resolver
> (also the Microsoft Domain Server :-), in the same area and uses
> IPsec to protect it.

Which may be great if you are: 1) in an environment using Microsoft
solutions; and 2) connected to those networks.  Not so great if you are
NOT in a Microsoft environment or are mobile or on other networks (and
yes, I realize you could VPN back into the corporate network).

>You can do other ways but IMHO we can assume
>you don't need confidentiality with far or untrusted resolvers.
>Or with other words you don't need confidentiality with 8.8.8.8

And I will disagree with that assumption.  I personally want
confidentiality between my stub resolver and whatever recursive resolvers
I may choose to use, including 8.8.8.8 (and its IPv6 equivalent). I'd like
to remove that connection as a place where an attacker can monitor /
observe / log my DNS queries.

Regards,
Dan


--
Dan York
Senior Content Strategist, Internet Society
york@isoc.org <mailto:york@isoc.org>   +1-802-735-1624
Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/deploy360/