Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <paul@redbarn.org> Thu, 22 August 2019 01:47 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C21C3120086 for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 18:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l81QfMEjGfVc for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 18:47:49 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85FF312003F for <resolverless-dns@ietf.org>; Wed, 21 Aug 2019 18:47:49 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 39AFA892E8; Thu, 22 Aug 2019 01:47:48 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: resolverless-dns@ietf.org
Cc: Ted Lemon <mellon@fugue.com>, sy@informatik.uni-hamburg.de
Date: Thu, 22 Aug 2019 01:47:47 +0000
Message-ID: <1781914.51cSh5WzdD@linux-9daj>
Organization: none
In-Reply-To: <1CC6D47E-181D-41F8-AC7C-AB2E78E32AE0@fugue.com>
References: <20190819203948.2BE688829F4@ary.qy> <1950174.j2oo942mI2@linux-9daj> <1CC6D47E-181D-41F8-AC7C-AB2E78E32AE0@fugue.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/RfVw41WAQmCIyWDKqNdQTTFHsZ4>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 01:47:51 -0000

On Thursday, 22 August 2019 01:21:40 UTC Ted Lemon wrote:
> On Aug 21, 2019, at 9:08 PM, Paul Vixie <paul@redbarn.org> wrote:
> > my experience with HSTS is that dotted-quad links are nearly impossible to
> > use from an HTTPS web object, since they point either to an HTTP web
> > object (which is a downgrade) or do an HTTPS object whose SNI is a dotted
> > quad (which is hard to get a certificate for.)
> 
> Thanks, that’s a good point.   So to describe what is going on here, what
> you are saying is that the browser provides no avenue of endpoint
> identification and authorization other than DNS?

i don't know that part. i do know i stop a lot of crud with DNS RPZ, for 
myself and my customers, and that if web browsers stop asking DNS questions, 
the defense methods i'm using and recommending will work less often.

-- 
Paul