Re: [DNSOP] some random dnse-triggered thoughts

João Damas <joao@bondis.org> Wed, 05 March 2014 14:40 UTC

Return-Path: <joao@bondis.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BAE61A0206 for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 06:40:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.147
X-Spam-Level:
X-Spam-Status: No, score=-2.147 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlzvyi4PJGQk for <dnsop@ietfa.amsl.com>; Wed, 5 Mar 2014 06:40:50 -0800 (PST)
Received: from smtp1.bondis.org (smtp1.bondis.org [194.176.119.250]) by ietfa.amsl.com (Postfix) with ESMTP id E7FBA1A014E for <dnsop@ietf.org>; Wed, 5 Mar 2014 06:40:49 -0800 (PST)
Received: from wired-v6.meeting.ietf.org (unknown [IPv6:2001:67c:370:128:7d6f:fe24:1513:1f51]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: joao) by smtp1.bondis.org (Postfix) with ESMTPSA id 7F06C6200DC; Wed, 5 Mar 2014 15:40:44 +0100 (CET)
Content-Type: multipart/signed; boundary="Apple-Mail=_0659DE34-7F88-4BAF-B792-D19AE319A9A5"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: João Damas <joao@bondis.org>
In-Reply-To: <20140305141235.GA17117@laperouse.bortzmeyer.org>
Date: Wed, 05 Mar 2014 14:40:42 +0000
Message-Id: <837FE9BE-1EC4-4E2B-97F3-7C123F25BB55@bondis.org>
References: <B63680DF-C56B-4AEB-9F76-A01FA2625D32@hopcount.ca> <20140305141235.GA17117@laperouse.bortzmeyer.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/fXH7FMwRLdhsRsZtsD_O0SkESIc
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>
Subject: Re: [DNSOP] some random dnse-triggered thoughts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 14:40:52 -0000

On 05 Mar 2014, at 14:12, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> More generally, we need to decide whether we want a truly end-to-end
> solution (which would be very much at odds with the architecture of
> the DNS) or if we are happy to protect only the messages in transit,
> leaving the issues of syping by intermediate servers to other
> solutions (QNAME minimization, local caching resolvers…).

perhaps there is a need to separate the problem into tractable chunks.
For the part of the problem about authenticating the recursive resolver (the fake 8.8.8.8 problem) we probably a different solution than for the metadata snooping problem (who is asking for what).
Perhaps it might be the case there are already existing features that can be used to get what we need (e.g. SIG(0) for the recursive resolver, wild!) and, as Roy Arends was mentioning over a few drinks, onion-like routing to separate the who from the what in questions in an effective manner.
These could be even user-triggered on demand for certain traffic types (For instance as a consequence of turning on private browsing in a browser), so the overhead penalties are only incurred for the desired subset of traffic.

Joao