> -----Original Message----- > From: dns-privacy <[email protected]> On Behalf Of Stephane > Bortzmeyer > Sent: Tuesday, November 26, 2019 11:35 PM > To: Phillip Hallam-Baker <[email protected]> > Cc: [email protected] > Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery' > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > On Tue, Nov 26, 2019 at 12:35:13PM -0500, Phillip Hallam-Baker > <[email protected]> wrote a message of 166 lines which said: > > > 2) Admin/User Configured DNS > > The client obtains the information to connect to a resolver > > through an Administrator or User configuration action. This may be > > inserting an IP address (8.8.8.8/1.1.1.1/etc) or some form of DNS label. > > > > 3) Application/Platform Provider Configuration. > > The application or OS platform can simply ignore user preferences > > and choose a DNS provider of its own liking. > > Note that, for free software, there is no real difference between 2) and 3). > Someone can always change the source and recompile. (And there is of > course no real privacy without free software.) > > > But please, assure me that we are not the brink of users being faced > > with pop ups asking them 'would you like to choose me as your DNS > > provider'. > > Why not? But, anyway, the IETF does not do UI so it's not really our job. > > > Of these three models, I have always considered (1) to be a security > > hole. > > I fully agree. *All* "automatic discovery of the DoH resolver" schemes are > broken by design and I really wonder why people keep suggesting them.
Not all discovery mechanisms have security holes, you may want to look into https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05. The draft discusses procedures to automatically securely bootstrap endpoints to discover and authenticate DoT/DoH servers provided by a local network. > > > So what I see is a requirement for DNS resolver configuration. We > > already have rfc6763 to tell us how to get from a DNS label to an > > Internet service. Albeit one that presupposes the existence of a > > resolution mechanism. I don't see it being problematic to use the > > local DNS to do this resolution provided that 1) we have the means to > > authenticate the connection and 2) we only use this mechanism once, to > > perform initial configuration. > > I agree too. A simple _doh.MYDOMAIN.example/SRV request would suffice. > (Even better, HTTP should support SRV, but I digress...) Yup, DNS-SD should suffice. The service portion for DoT/DoH are defined in https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05#section-6 -Tiru > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
