Re: [Resolverless-dns] Paper on Resolver-less DNS

Ted Lemon <mellon@fugue.com> Thu, 22 August 2019 02:39 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 330E2120048 for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 19:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTGhMLOIuX8o for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46391120019 for <resolverless-dns@ietf.org>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id 125so3809279qkl.6 for <resolverless-dns@ietf.org>; Wed, 21 Aug 2019 19:39:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=l16/xkLDFQHh3V+XQQCf5SKESDhznhiXa8pydiIGLsg=; b=obf7GhVXTPXphwJgxSq8DOYqMKNXB9+rFoW83R0ZjbZq1cQhct5GFPFpXoqh7gdmvi T1l7U0dLh4jloMQJn5Gep+CppCO6z9dt0Dsf919yD1SQC+aPlatb+2sMOk9KJkiU9Vnd jRjk3fawywoJegCNK9r9lMmKit8LhVO1g88hc8b4/FVx2EWLUap9atgVEBAUSQvZ6EbG I39r49JZvxOMJz6mAiCYZK6xVymw+UEmvPa145vhj8zxVQGazI0MsavC9kDAY2pwtsmd ZGOsSaulnH+ZPTxA2R7Lol9p/zHXlsPW3wumvigFFLMjCF49FPhCANFBn7ZxzWEXI6zX 3fLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=l16/xkLDFQHh3V+XQQCf5SKESDhznhiXa8pydiIGLsg=; b=hKZ9ICUCd+iDZx6XOZUjNnL5YWwrLD/SKCsCDOE2F81fgh0iVWZq7i02lGNyWVGLJP V1RI+cR122/7iIPoecRGs31CYe+7eKXnexzat4KIl91BDvPoYZNHZ2A+dusxxmtz8fNw gCcama639+KMiCDG0uGFVP/u19re1zBetWxvLSLgr//fHrrhx1IThK0Sj5HCKbq5vMmX WrQ2GWfmjf7eGrdK8Inw5rwcISdFOLrcT462n2qBRqc71d74ouDvlHXzKTvdiObNLD16 rqhdolHaF8Gei1keWXen2LrI4pW+u1zH2OBpbO3XMdI150hgAWctRzx29Ev0/5nPMp6W hUBg==
X-Gm-Message-State: APjAAAVJIYs7snWc41CpnJ704sIK+45kFq1ZwIKDqSlgrmzMV0EeQ7f/ UNROfV2xtSQASvclR5bozAbtzpqyGO66mg==
X-Google-Smtp-Source: APXvYqx9ZcOoS5JS+OLz6DJc9lWbDoOHUEyStCKALd/OIbjk1eLonEigovWTY0yKidR4rXzFiJt/Mg==
X-Received: by 2002:ae9:edc1:: with SMTP id c184mr32961071qkg.418.1566441579024; Wed, 21 Aug 2019 19:39:39 -0700 (PDT)
Received: from [10.0.100.56] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id h2sm10698485qto.81.2019.08.21.19.39.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Aug 2019 19:39:38 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 21 Aug 2019 22:39:37 -0400
Message-Id: <A53C564A-CB3E-4260-978C-E786585310B1@fugue.com>
References: <1781914.51cSh5WzdD@linux-9daj>
Cc: resolverless-dns@ietf.org, sy@informatik.uni-hamburg.de
In-Reply-To: <1781914.51cSh5WzdD@linux-9daj>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: iPhone Mail (17A573)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/9LmbvnKBf7LwZSWTjbVgRL4Cu3M>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 02:39:42 -0000

So, for your use case it would be good if there were a way for authorized devices to know that they are connected to your network and use your resolvers, and a way to quarantine devices that have not been configured that way. Or you could just have always use your resolver if they are willing. 

Sent from my iPhone

> On Aug 21, 2019, at 21:47, Paul Vixie <paul@redbarn.org> wrote:
> 
> On Thursday, 22 August 2019 01:21:40 UTC Ted Lemon wrote:
>>> On Aug 21, 2019, at 9:08 PM, Paul Vixie <paul@redbarn.org> wrote:
>>> my experience with HSTS is that dotted-quad links are nearly impossible to
>>> use from an HTTPS web object, since they point either to an HTTP web
>>> object (which is a downgrade) or do an HTTPS object whose SNI is a dotted
>>> quad (which is hard to get a certificate for.)
>> 
>> Thanks, that’s a good point.   So to describe what is going on here, what
>> you are saying is that the browser provides no avenue of endpoint
>> identification and authorization other than DNS?
> 
> i don't know that part. i do know i stop a lot of crud with DNS RPZ, for 
> myself and my customers, and that if web browsers stop asking DNS questions, 
> the defense methods i'm using and recommending will work less often.
> 
> -- 
> Paul
> 
>