æ¬è¨äºã¯ DNSæ¸©æ³ Advent Calendar 2019 第19æ¥ç®ã®è¨äºã§ãã ãã¨ãã¨äºå®ãã¦ãã "DNSDNS Resolution X3 vs 2ndMIX (ä»®)" ã¯ææ¥ã®è¨äºã¨ãã¦æ稿äºå®ã§ãã
ã¾ããIETF 106ã®éæè¡è¨äºã¯å ¬éãè¦éãã¾ãã
æä¸ã§è§¦ãã¦ããååï¼IETF 105ï¼ã®æè¡è¨äºã¯ãã¡ãã§ãã
ããã¯ä½ãèæ¯
Application Behaviour Considering DNS(abcd) BoF*1ã¯ãååéããã Applications Doing DNS (ADD) BoFã®ç¶ç·¨ã«ãããBoFã§ããDNS over TLS, DNS over HTTPSã®ãããã³ã«ãå®ããã¯ããããã©ããã®ä½¿ããæ¹ããããã¤ã¡ã³ãã«é¢ããæ¸å¿µäºé ãåé¡ãè°è«ããå ´æãå¿ è¦ã§ãããã¨ãããã¨ã§ãååã¯Working Groupãå½¢æãããã¨ãç®çã¨ããªããªã¼ãã³ãªè°è«ã®å ´ãä»åã¯Working Groupã®å½¢æãç®çã¨ããBoF meetingãéããã¾ããã
2014-2018ã«ããã¦DoHã¨DoTã¯ããããRFC 8484ã¨RFC 7858ã¨ãã¦æ¨æºåãè¡ããã2018年以éã¯å¤ãã®ã¯ã©ã¤ã¢ã³ããDoTã»DoHãå®è£ ãã¾ããããã®ã¾ã¨ãã¨ãã¦ãDoHã®ãµã¼ãã¼ã»ã¯ã©ã¤ã¢ã³ãã®å®è£ ç¶æ³ãã¾ã¨ããcurlã®GitHub wikiãã¼ã¸ãããã¾ãã
ä»åã®BoFã§ã¯ãWorking Groupå½¢æã®ããã®ãã£ã¼ã¿ã¼ã®è°è«ã«å¾åååã®æéã使ãããã»ãã·ã§ã³ã¨ãã¦Mozillaã®Canary Domainã®åãçµã¿ã¨dprive WG*2ã®ãã©ããã§ããAdaptive DNS Privacyã®2ã¤ãç´¹ä»ããã¾ããã
Canary Domain
DNS over HTTPSã¯ãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ãªã©ã®ãããã¯ã¼ã¯ç®¡çè ããã®ãããã¯ã¼ã¯ã®ã¦ã¼ã¶ã¼ã«èª²ãå¶éãè¿åãã¦DNSã®åå解決ãè¡ãã¦ãã¾ããã¨ãåé¡ã¨ãããã¤ã®ãªã¹ã®ISPã®å£ä½ããDoHãæ¨é²ããMozillaã"Internet Villain"ã¨åæããããäºæ ã«çºå±ãã¾ãããããã§Mozillaã¯DNS-basedãªãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ï¼ã«éãããããã¯ã¼ã¯ããªã·ã¼ï¼ãåå¨ãããã©ãããæ¤ç¥ããããåå¨ããå ´åã«DoHãç¡å¹åããæ¹æ³ã¨ãã¦Canary Domainã¨ããä»çµã¿ãå°å ¥ãã¾ããã
Canary Domainã¨ã¯ãå®éã«ãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ããã£ã«ã¿ã¼ããã§ããããã¡ã¤ã³ãå¼ããã¨ã試ã¿ã¦ãããã¯ããã¦ãããã©ããã調ã¹ã代ããã«ããDNS-basedãªãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ãå°å ¥ããã¦ããã°å¿ ããããã¯ãããããã¡ã¤ã³ãå®ç¾©ãããã®ãã¡ã¤ã³ã¸ã®platform DNS*3ããã®åå解決ããããã¯ããããå å·¥ããã¦ãããã以ã¦è©²å½ã®ãããã¯ã¼ã¯å ã«ãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ãåå¨ãããã調ã¹ã¾ãã
â¦ãã®æç¹ã§å«ãªäºæããããªãã¨ããã®ã¯ãã®ã¨ããã§ããã®ãã¡ã¤ã³ããããã¯ãããã©ããã¯ã¨ã³ãã¦ã¼ã¶ã¼ã®ãããã¯ã¼ã¯ãããå ã®ã¬ãã«ã§ãå¶å¾¡ã§ãããã¨ãªã®ã§ãããç¹å®ã®ISPã§ã¯å ¨åçã«canaryããããã¯ãããã¯å å·¥ããã¦DoHãç¡å¹åããããã¨ãããã¨ãããããããã§ãããã¡ããã¹ã©ã¤ãä¸ã«ã¯ãã®å¯è½æ§ã«ã¤ãã¦ãã¬ã¡ããªãªã©ã§ã¢ãã¿ã¼ããã¨ã¯ãã¦ãã¾ãããæ»æè ã容æã«æªç¨ã§ãæ¬å½ã«æ³å®ãããDoHã®è å¨ã«å¯¾ãã¦DoHã使ããªããªã£ã¦ãã¾ãå±éºæ§ãããã¨ããã¾ãã
åå è ã®ä¸ã«ã¯ããããDNSãç¨ãã¦ãã¢ã¬ã³ã¿ã«ã³ã³ããã¼ã«ãããã¹ãã§ãªããééã£ãæ¹æ³ã«èªå°ããä»çµã¿ã§ãããã¨ãã主張ãè¦ããã¾ããã
Adaptive DNS Privacy
ç¾å¨ã®DNS over HTTPS/TLS vs DNS over Port53(Do53)ã®ã¢ãã«ã¯ãDoHã«ç§»è¡ãããã¨ã§ãã¼ã«ã«ãããã¯ã¼ã¯ã®ãªã¾ã«ãã¼ãç¡è¦ãã¦ãããªãã¯ãªãªã¾ã«ãã¼ãå ¨é¢çã«å©ç¨ããã¢ãã«ãåãã¾ãããã®ã¢ãã«ãåãã«ããã£ã¦ãä¸è¨ã®ãããªåé¡ãæµ®ä¸ãã¦ãã¾ã:
- ã¯ã©ã¤ã¢ã³ãã¯ã©ã®ããã«ãã¦æå·åã«å¯¾å¿ããDNSãªã¾ã«ãã¼ãè¦ã¤ããã®ãï¼
- ãããã¯ã¼ã¯ã¯ã©ã®ããã«ãã¦ãã¼ã«ã«ããªã·ã¼ãåç¥ã§ããã®ãï¼
- ã¯ã©ã¤ã¢ã³ãã¯ã©ã®ããã«ãã¦é©åãªãªã¾ã«ãã¼ãé¸æã§ããã®ãï¼
Adaptive DNS Privacyã¨ããææ¡ã¯ãã¼ã«ã«ã®DNSãªã¾ã«ãã¼ã®æ©è½ãä¸é¨åããªãããããªãã¯DNSã®æ©è½ãå©ç¨ãããã¨ãããã¨ã§ãããã®åé¡ã«çãããã¨ãã¾ãã
ã¾ãæåã®DoH対å¿ã®DNSãªã¾ã«ãã¼ã®çºè¦ã«ã¤ãã¦ããã®ææ¡ã§ã¯Service Binding records(SVCB/HTTPSSVC)ã¨ããDNSã¬ã³ã¼ãã使ã£ã¦ç¹å®ã®ååã®ãªã¼ãã¼ã¯ãã®DoHãµã¼ãã¼ã使ã£ã¦ã»ããã¨åç¥ãããã¼ã«ã«ã®DNSãªã¾ã«ãã¼ã使ã£ã¦åç¥ãããæ å ±ãåå¾ãããã¨ãã¦ãã¾ãã
ãã¼ã«ã«ã®DNSãªã¾ã«ãã¼ãä½µç¨ããã¢ãã«ãåããã¨ã§ããããã¯ã¼ã¯ã®ãã¼ã«ã«ããªã·ã¼ã®åç¥ããã¼ã«ã«ã®DNSãªã¾ã«ãã¼ãè¡ããã¨ãã§ãã¾ããããã¯ç¹å®ãããã¯ã¼ã¯ã«ããããã£ã«ã¿ãªã³ã°ããªã·ã¼ã®åç¥ã®ä»ã«ããããã¯ã¼ã¯åºæã®æé©åãªãã·ã§ã³ã®æ示ã«ã使ããã¨ããã¦ãã¾ã*4ã
æå¾ã«ãå¤ã«ãä¸ã«ã使ã£ã¦ã»ãããªã¾ã«ãã¼ãããå ´åã©ããã£ã¦ãããå¤å®ããã®ãï¼ã¨ãããã¨ã«ã¤ãã¦ããªã¾ã«ãã¼ã®å½¹å²ãã¨ã«é ä½ä»ããããã¯ã©ã¤ã¢ã³ãå´ã®ãªã¾ã«ãã¼å¤å®ã¢ã«ã´ãªãºã ãç¨æãããã¨ãã¦ãã¾ããã¾ãVPNã®ãªã¾ã«ãã¼ãåªå ããæå®ã®ãããã¼ã«ã«ãªã¾ã«ãã¼ãæå®ã®ãããããªãã¯ãªãªã¾ã«ãã¼ãOblivious DoH*5ãç´æ¥ã®åå解決ã®é ã«å©ç¨ã§ãããã®ãå©ç¨ãã¾ãã
charteringã®è°è«
注ç®åº¦ã®é«ããã¿ã«å¯¾ãã¦45åæ ãè¨å®ããã ããã£ã¦ã ãã¶è°è«ããã¼ãã¢ãããã¦ãã¾ãããWGã®å½¢æã«ã¯ã»ã¼åæã¯ãã¦ãããã®ã®ããã®WGã§è¡ãé ç®ã«ã¤ãã¦ãIETFã®é常ã®æ±ºå®ããã»ã¹ã§ãã"Rough Consensus (and Running Code)"ã¨ã¯ç°ãªã"Full Consensus"ãæ±ããããã¨chairã®ã¹ã©ã¤ãã«ãã£ããã¨ã«ã¤ãã¦ãç¹ã«ããã ã注ç®åº¦ã®é«ãWGã§å®å ¨ãªåæãå¯è½ãªã®ããã¨ãããã¨ãè«äºã«ãªã£ã¦ãã¾ããã
ã¾ããout of scopeã¨ããã¦ãããã®ã«"privacy and surveillance"ï¼ãã©ã¤ãã·ã¼ã¨ç£è¦ã®åé¡ï¼ããããDoH/DoTã¯ãããããããã¨éãããã®ãã®ã§ã¯ãªãã£ãã®ããã¨ãã声ãä¸ããã¾ããã
ç¾è¡ã®charteræ¡ã¯ãã¡ãããèªãã¾ãã
ææ¥ã®è¨äºã§ã¯"DNSDNS Resolution"ã«è»½ãããæ¸ããªãã£ãanti-DNSSECã®å´é¢ã«ã¤ãã¦æ¸ãã¾ããåé次第ã§ã¯é ãã¦åææ¥ã«ãã¤ãããããããã¾ããããäºæ¿ãã ãã