Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 06 March 2014 23:42 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2271A00CA for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:42:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Level:
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VaP9OGuFu7ox for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:42:32 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id F00A01A0043 for <dnsop@ietf.org>; Thu, 6 Mar 2014 15:42:31 -0800 (PST)
Received: from mx1.yitter.info (unknown [130.129.152.218]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id A8EA48A031 for <dnsop@ietf.org>; Thu, 6 Mar 2014 23:42:26 +0000 (UTC)
Date: Thu, 6 Mar 2014 18:42:22 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20140306234221.GA11030@mx1.yitter.info>
References: <CF3EB0AB.69171%york@isoc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CF3EB0AB.69171%york@isoc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/pAND5-v4NN-L7NkU7owprNNL7Ts
Subject: Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 23:42:33 -0000

On Thu, Mar 06, 2014 at 11:09:33PM +0000, Dan York wrote:

> this case of the attacker controlling the recursive resolver, I
> don't know that any of the various solutions thrown around today
> would do anything to help with this.  

But this was exactly the question I (among others) was trying to ask
at the mic.  From whom exactly are we trying to protect ourselves?  If
one of the answers is, "our immediate upstream resolver", there's
actually a possible answer to that: either don't have one, or prove
that the one you're talking to is one you can trust.

But to start that discussion, we first have to figure out from whom we
are protecting ourselves.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com