+1 to Jason's comment - suggesting all DNS modification is bad indicates a
misunderstanding of some real-world use cases.
Andrew
-Original Message-
From: Livingood, Jason
Sent: 27 November 2019 16:06
To: Stephane Bortzmeyer ; dns-privacy@ietf.org
Subject: Re: [dns-privacy] Trying to
On 11/27/19, 9:55 AM, "dns-privacy on behalf of Neil Cook"
wrote:
>> If you use DoH/DoT, it is because you don't trust the access network.
>It says nothing about whether you trust the access network.
[JL] I agree with Neil. IMO the use of encrypted DNS is orthogonal to whether
or not you trust
On 11/27/19, 9:29 AM, "dns-privacy on behalf of Stephane Bortzmeyer"
wrote:
>For instance, if your access provider has a lying resolver
I just wanted to take a moment to note that choosing to use the term 'lying'
when describing resolver behavior is unnecessarily negative and seems
The problem with DHCP is the client has no way to know whether the DoT/DoH
server is indeed hosted by the local network or by an attacker. For example,
consider a network using Quad9/OpenDNS to perform malware filtering but
attacker spoofs the DHCP response to convey the network is using
> -Original Message-
> From: Neil Cook
> Sent: Wednesday, November 27, 2019 8:25 PM
> To: Stephane Bortzmeyer
> Cc: Konda, Tirumaleswar Reddy ;
> dns-privacy@ietf.org; Phillip Hallam-Baker
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION: External
Please see inline
From: Neil Cook
Sent: Wednesday, November 27, 2019 8:10 PM
To: Konda, Tirumaleswar Reddy
Cc: Stephane Bortzmeyer ; dns-privacy@ietf.org; Phillip
Hallam-Baker
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
CAUTION: External email. Do not click
> On 27 Nov 2019, at 14:28, Stephane Bortzmeyer wrote:
> If you use DoH/DoT, it is because you don't trust the access network.
It says nothing about whether you trust the access network. You *may* be using
DoH/DoT because you don’t trust the access network. However, you may trust the
access
On Wed, Nov 27, 2019 at 10:04:57AM +,
Neil Cook wrote
a message of 45 lines which said:
> I don’t see why they’re broken by design;
You explained it well:
> they add no security properties
> on top of the (insecure) DHCP mechanism used to contact the resolver
> in the first place
And
> -Original Message-
> From: Stephane Bortzmeyer
> Sent: Wednesday, November 27, 2019 7:59 PM
> To: Konda, Tirumaleswar Reddy
> Cc: Stephane Bortzmeyer ; Phillip Hallam-Baker
> ; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION:
> On 27 Nov 2019, at 14:22, Konda, Tirumaleswar Reddy
> wrote:
>
>>
>> Resolver discovery schemes allow a client to ask the local resolver to
>> provide
>> information about the resolver, such as DoH info, as well as potentially
>> other
>> information about the resolver. I don’t see why
On Wed, Nov 27, 2019 at 09:07:15AM +,
Konda, Tirumaleswar Reddy wrote
a message of 72 lines which said:
> > *All* "automatic discovery of the DoH resolver" schemes are broken
> > by design and I really wonder why people keep suggesting them.
>
> Not all discovery mechanisms have security
> -Original Message-
> From: Neil Cook
> Sent: Wednesday, November 27, 2019 7:48 PM
> To: Konda, Tirumaleswar Reddy
> Cc: Phillip Hallam-Baker ; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION: External email. Do not click
> -Original Message-
> From: dns-privacy On Behalf Of Neil Cook
> Sent: Wednesday, November 27, 2019 3:35 PM
> To: Stephane Bortzmeyer
> Cc: dns-privacy@ietf.org; Phillip Hallam-Baker
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION: External
> -Original Message-
> From: dns-privacy On Behalf Of Neil Cook
> Sent: Wednesday, November 27, 2019 3:02 PM
> To: Phillip Hallam-Baker
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION: External email. Do not click links
> On 26 Nov 2019, at 18:04, Stephane Bortzmeyer wrote:
>
>> Of these three models, I have always considered (1) to be a security
>> hole.
>
> I fully agree. *All* "automatic discovery of the DoH resolver" schemes
> are broken by design and I really wonder why people keep suggesting
> them.
> On 26 Nov 2019, at 17:35, Phillip Hallam-Baker wrote:
>
> So what I see is a requirement for DNS resolver configuration. We already
> have rfc6763 to tell us how to get from a DNS label to an Internet service.
> Albeit one that presupposes the existence of a resolution mechanism. I don't
> -Original Message-
> From: dns-privacy On Behalf Of Stephane
> Bortzmeyer
> Sent: Tuesday, November 26, 2019 11:35 PM
> To: Phillip Hallam-Baker
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
>
> CAUTION: External email. Do not
Hi Brian,
Yes, the client needs to discover the privacy policy information of both the
forwarder and recursive resolvers, and if the DNS messages are encrypted
between the forwarder and recursive resolver. Further, the forwarding DNS
server can be configured with both primary and secondary
Hi Phillip,
Nice summary, Please see inline
From: dns-privacy On Behalf Of Phillip
Hallam-Baker
Sent: Tuesday, November 26, 2019 11:05 PM
To: dns-privacy@ietf.org
Subject: [dns-privacy] Trying to understand DNS resolver 'discovery'
CAUTION: External email. Do not click links or open
19 matches
Mail list logo