[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS Qname minimisation



Hugo Maxwell Connery wrote:
> I strongly encourage the Debian Project, in collaboration
> with other major GNU/Linux distributors to implement that
> standards coming out of the IETF to respond to the mass
> surveillance of the Internet illustrated by the Snowden 
> disclosures.
> 
> The DNS Qname minimisation standard has just been released
> and can be found at:
> 
> https://datatracker.ietf.org/doc/rfc7816/

Hi,

GNU/Linux distributors are generally not that involved in the actual
implementation of most RFCs. For the DNS protocol, the upstream software
developers are almost entirely responsible for implementing new features
(though there are a few DDs who are also upstream DNS developers). This
particular feature must be implemented by recursive DNS servers, and
there are a number of those in Debian: unbound, knot-resolver, bind,
pdns-recursor, and a few others.

DNS qname minimisation is already available in Debian; unbound 1.5.8 in
testing and jessie-backports has support for it, which can be enabled by
adding the following config snippet to /etc/unbound/unbound.conf.d/:

    server:
        qname-minimisation: yes

TTBOMK, the knot-resolver package also has qname minimisation support,
but I have not used it before.

ISC has declared that they will support qname minimisation
(https://twitter.com/ISCdotORG/status/700009184352337920), but I don't
see any signs that it has been implemented yet in their git repository.
Since BIND 9.11 is about to be released, I would guess that it would
have to wait until BIND 9.12.

PowerDNS has tagged the feature request asking for qname minimisation
support as "rec-4.1.0" (https://github.com/PowerDNS/pdns/issues/2311),
so I guess it might be supported in an upcoming release.

> The other major standard for DNS privacy is DNS over TLS
> which is in the final stages of standardisation:
> 
> https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-09

This one requires changes to the DNS resolver running on end hosts. The
most logical place to put the code needed for this in a GNU/Linux
distribution would be in a long-lived daemon that can establish and keep
alive the needed TLS connections. systemd-resolved is one possibility,
though at FOSDEM Lennart Poettering mentioned that systemd-resolved
probably would not support DNS-over-TLS unless it were widely deployed
on the server side, IIRC.

Unbound has support for SSL connections, so one possibility would be to
install a local unbound server on each machine and continue to use the
traditional glibc stub resolver with "nameserver 127.0.0.1" in
/etc/resolv.conf.

-- 
Robert Edmonds
edmonds@debian.org


Reply to: