[dns-operations] resolvers considered harmful

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 23 16:38:24 UTC 2014

On Thu, Oct 23, 2014 at 10:25 AM, Paul Hoffman <paul.hoffman at vpnc.org>

> Speaking as someone who supports all end systems to be their own
> validating recursive resolver.

I used to think that, but writing a paper for the middlebox workshop has
forced be to radically change my thinking. I have just converted it to a
draft and uploaded it.


Some highlights:

* The architectural model of the Internet should be described by the
interfaces between layers, not the descriptions of the layers. How a layer
is implemented can change (multipath TLS, DTN, etc). How it interfaces to
other layers changes over time

* Each interface is characterized by the identifiers that are used.
Applications connect  by DNS names, port numbers and SRV prefixes. The
Network/Transport layer exposes IP headers. the Transport layer exposes IP
addresses and ports.

* From the above it follows that there is a layer missing from the model
because applications aren't talking the same language as transport. The
name Presentation is already established but it is not a presentation layer
in the OSI sense.

* Using DNS to distribute keys has totally different security
considerations to distribution of IP addresses.

The last is important because there is very good case to be made for DNSSEC
validating DANE records at the end system client. It is actually better to
validate DNSSEC in the resolver.

Right now I do not see any transition plan from IPv4 to IPv6. We have
plenty of plans that let us use IPv6 only but as yet no plan that lets us
put a pure IPv6 device on a mixed network and achieve 100% connectivity
with legacy IPv4 hosts. Such a device would never make A record queries. It
would only make AAAA queries.

But give me a trusted path to an IPv6 resolver that I can trust to rewrite
DNS records so that my requests for hosts with only IPv4 connectivity are
rewritten to give me the address of a suitable gateway for that particular

With only a small amount of cleverness, we can make such a gateway
stateless. And that in turn means that providing internal network gateways
can become a base feature of ethernet switches.

The only thing that breaks is the DNSSEC signature on the AAAA record. And
that should not matter because an Internet application only cares about
domain names, the address should not be visible.

DANE has confused the issue because DANE is supporting the
application/presentation interface and the rest of DNS is supporting the
presentation/transport layer. DANE keys are an application concern and it
makes perfect sense to check DANE records at the application just as the
application checks WebPKI certificates. But having application code check
signatures on A and AAAA records makes no more sense than checking
signatures on BGP route advertisements there.

The OSI layer model is a failure when it comes to describing most of the
new innovations taking place in IETF. But when we invert the model and look
at the interfaces rather than the layers, the architecture that has emerged
over the past 20 years fits very cleanly.

Resolvers are of course a form of middlebox. They don't get counted as such
because middleboxes are 'evil' and resolvers are 'necessary'. But they sit
between the endpoint and the net, their logical function is middlebox-like
and thus their form is a middlebox.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/f6815558/attachment.html>

More information about the dns-operations mailing list