Re: [Resolverless-dns] Paper on Resolver-less DNS

"John Levine" <johnl@taugh.com> Thu, 15 August 2019 16:39 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA641200D7 for <resolverless-dns@ietfa.amsl.com>; Thu, 15 Aug 2019 09:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=jHnVmPUJ; dkim=pass (1536-bit key) header.d=taugh.com header.b=CSbn7Ap3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnQdguv5Vd81 for <resolverless-dns@ietfa.amsl.com>; Thu, 15 Aug 2019 09:39:41 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63304120108 for <resolverless-dns@ietf.org>; Thu, 15 Aug 2019 09:39:41 -0700 (PDT)
Received: (qmail 10509 invoked from network); 15 Aug 2019 16:39:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=290b.5d558acb.k1908; i=printer-iecc.com@submit.iecc.com; bh=oZ0xY/k3ex3yPn9MfFUgMEcMxgg3AKExzfkEmpQXcm8=; b=jHnVmPUJnbuN4P62g6ba5uuMxknIndir4A5ou1m3hNqq0+vDCZylqWNqp2F5LhZ6fXgQSeIx6fji9eKLmhzS/u6T10whdbGZEObcWW2oL9oEb/3kOdEGd36zWE/Buy04JfvvS+ti6zbaLfCVaGPOicFpR5rJD3FECF32v+Cj/m0P5wgFq0l+uyKOiicHTHAiY/AqqkiVfF4da2wqkH58OucvXxOWZbTaett8uWBjtau3OnJAxB3gLpp8EqVQaWFj
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=290b.5d558acb.k1908; olt=printer-iecc.com@submit.iecc.com; bh=oZ0xY/k3ex3yPn9MfFUgMEcMxgg3AKExzfkEmpQXcm8=; b=CSbn7Ap3jV3G/PouZ4V22HDdgGiBMczDakHHhFGkBaDTPCgFWFK4+NyN3hB5FZBsvQdSv4feacqbjKTuP1Mt1iwAX0t0V6zLSRT6PkSR6NmTrsWFK7H+/g+lGHM2scNj46TWy2/fnhCNggJd8J4c4FR7/b/a3FFblSo14uEpenPiTkZ4747CnYxoTkpKizh/btCL1WSY6cxKzQysC5hyQWiadslGdhGjIk/6QqZimZ47ep1TCDgbEUnjt3/H9kN8
Received: from ary.local ([73.33.141.87]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP; 15 Aug 2019 16:39:39 -0000
Received: by ary.local (Postfix, from userid 501) id CF9CB85D108; Thu, 15 Aug 2019 12:39:38 -0400 (EDT)
Date: 15 Aug 2019 12:39:38 -0400
Message-Id: <20190815163938.CF9CB85D108@ary.local>
From: "John Levine" <johnl@taugh.com>
To: resolverless-dns@ietf.org
Cc: bemasc@google.com
In-Reply-To: <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/Qq9c-vkbDUTlcKQcnXgVUgQBmSs>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 16:39:44 -0000

In article <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com>; you write:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>Thanks for conducting this investigation, Erik!
>
>In my view, the two main concerns with resolverless architectures have been
>(1) simplifying stolen key attacks and (2) potential interference with
>DNS-based load balancing.

I also like the paper but it misses the largest concern with
resolverless DNS: it circumvents DNS based access controls.  I realize
this is not a popular position in the IETF, but there are lots of
perfectly good reasons that networks provide filtered DNS.  Even
though it has usually been technically easy to circumvent, most people
don't and it's been good enough.  If it's widely circumvented, we can
expect much more intrusive filtering with a lot more collateral damage.

R's,
John