Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <paul@redbarn.org> Thu, 15 August 2019 19:22 UTC

From: Paul Vixie <paul@redbarn.org>
To: resolverless-dns@ietf.org, sy@informatik.uni-hamburg.de
Date: Thu, 15 Aug 2019 19:22:16 +0000
Message-ID: <2017170.mVuLTY5bmt@linux-9daj>
Organization: none
In-Reply-To: <8a8754b1-c646-34fc-a13b-d69757b807f3@informatik.uni-hamburg.de>
References: <20190815163938.CF9CB85D108@ary.local> <8a8754b1-c646-34fc-a13b-d69757b807f3@informatik.uni-hamburg.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/5ftOPxtvk1IDypzkvuTANLci_AY>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
Precedence: list

On Thursday, 15 August 2019 19:00:31 UTC Erik Sy wrote:
> Hi John,
> 
> On 8/15/19 18:39, John Levine wrote:
> > I also like the paper but it misses the largest concern with
> > resolverless DNS: it circumvents DNS based access controls.
> 
> Resolver-less DNS does not circumvent DNS-based access controls. First,
> clients can configure their user agent to filter the DNS records
> retrieved via resolver-less DNS to enforce such access controls.

how? right now network operators use DNS RPZ, implemented in their recursive 
name servers, to achieve multivendor threat intelligence based policy 
enforcement at the DNS level. i know of no similar protocol by which browsers 
could learn the network operator's policy. and in any case some of the policy 
rules expressed in RPZ are about name server names and name server addresses, 
neither of which a browser will know.

so, this _does_ circumvent, as written, and i suspect, by (poltiical) intent.

> Second,
> resolver-less DNS requires in some situations fallback DNS queries using
> the traditional resolver that may conduct DNS-based access controls.

that's small beer, irrelevant to the thread.

-- 
Paul

[Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ben Schwartz
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Fred Baker
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Bob Harold
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie