Re: [DNSOP] some random dnse-triggered thoughts

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 05 March 2014 14:14 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58D41A0450 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 06:14:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIXdQUGAorXw for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 06:14:38 -0800 (PST)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) by ietfa.amsl.com (Postfix) with ESMTP id DE02E1A0462 for <dnsop@ietf.org>; Wed, 5 Mar 2014 06:14:35 -0800 (PST)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 827463BD29; Wed, 5 Mar 2014 14:14:30 +0000 (UTC)
Received: by tyrion (Postfix, from userid 1000) id CB829F00AF7; Wed, 5 Mar 2014 15:12:35 +0100 (CET)
Date: Wed, 05 Mar 2014 14:12:35 +0000
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Joe Abley <jabley@hopcount.ca>
Message-ID: <20140305141235.GA17117@laperouse.bortzmeyer.org>
References: <B63680DF-C56B-4AEB-9F76-A01FA2625D32@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B63680DF-C56B-4AEB-9F76-A01FA2625D32@hopcount.ca>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 13.10 (saucy)
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/aCSeHDYv4yZOoFA90KsxwUgSt4w
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] some random dnse-triggered thoughts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 14:14:40 -0000

On Tue, Mar 04, 2014 at 06:15:37PM +0000,
 Joe Abley <jabley@hopcount.ca> wrote 
 a message of 34 lines which said:

> EDNS0 options are hop-by-hop. It's not obvious this is what we need,
> since that makes every intermediate DNS server a potential
> interception point. But perhaps that's ok anyway, if we imagine the
> 80% solution involves stub -> resolver -> authority where each arrow
> is a separate privacy domain anyway.

More generally, we need to decide whether we want a truly end-to-end
solution (which would be very much at odds with the architecture of
the DNS) or if we are happy to protect only the messages in transit,
leaving the issues of syping by intermediate servers to other
solutions (QNAME minimization, local caching resolvers...).