Re: [DNSOP] my dnse vision

Olafur Gudmundsson <ogud@ogud.com> Wed, 05 March 2014 12:52 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 570561A00A2 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 04:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duBaWHGxh3Nn for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 04:52:05 -0800 (PST)
Received: from smtp157.ord.emailsrvr.com (smtp157.ord.emailsrvr.com [173.203.6.157]) by ietfa.amsl.com (Postfix) with ESMTP id 70FD41A0121 for <dnsop@ietf.org>; Wed, 5 Mar 2014 04:52:04 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 167251C0196; Wed, 5 Mar 2014 07:51:51 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp20.relay.ord1a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 6C5E11C0543; Wed, 5 Mar 2014 07:51:50 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <201403051107.s25B7ext069332@givry.fdupont.fr>
Date: Wed, 5 Mar 2014 12:51:52 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com>
References: <201403051107.s25B7ext069332@givry.fdupont.fr>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/PLMdihtCN1AHYQ6qAWsWWqxCyt0
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 12:52:06 -0000

On Mar 5, 2014, at 11:07 AM, Francis Dupont <Francis.Dupont@fdupont.fr> wrote:

>> From discussions with Stephane Bortzmeyer and Mark Andrews...
> 
> First I come back to the fact there are two different problems
> (aka divide and conquer):
> * stubs <-> resolver
> * resolver <-> auth servers
> 
> I consider the first one to be already solved, cf. the Microsoft
> deployed solution which puts clients, local networks, the resolver
> (also the Microsoft Domain Server :-), in the same area and uses
> IPsec to protect it. You can do other ways but IMHO we can assume
> you don't need confidentiality with far or untrusted resolvers.
> Or with other words you don't need confidentiality with 8.8.8.8
> 

I strongly disagree, my hotel list 8.8.8.8 as one of the resolvers available on the 
network, the answers from the 8.8.8.8  there are nothing like the answers I get from 8.8.8.8 on the IETF network. 
I NEED confidence that I'm talking to the real 8.8.8.8 if the only way to get that is 
encryption then I support it. 

I'm not sure if Microsoft solution works when one attaches to new networks like the IETF network. 

The stub <--> recursive [validating] resolver 

is the one more important to protect as the that is where it is easier to lie. 

On the other one 
recursive resolver <--->  auth servers 
 I would prefer that before we start talking about encryption is we agree on 
label stripping by recursive resolvers as that minimizes the leak of information to 
root/tld servers. 

	Olafur