IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Paul Vixie <paul@redbarn.org> Tue, 30 June 2020 07:51 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7D13A10DA for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 00:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id my3ScvhB3RD9 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 00:51:45 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26C903A0FD8 for <add@ietf.org>; Tue, 30 Jun 2020 00:51:45 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:5d52:d153:4eaa:f6b] (unknown [IPv6:2001:559:8000:c9:5d52:d153:4eaa:f6b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id C399FB0588; Tue, 30 Jun 2020 07:51:42 +0000 (UTC)
To: Eric Rescorla <ekr@rtfm.com>
Cc: Daniel Migault <mglt.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, ADD Mailing list <add@ietf.org>, John R Levine <johnl@taugh.com>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <14119.1593367594@localhost> <alpine.OSX.2.22.407.2006281428200.79151@ary.qy> <3615321.ADK9YsXCiF@linux-9daj> <CADZyTkm82y=H48e7TL+wBMN67jrCG2T96kHOdovX0Ds3m_nguw@mail.gmail.com> <CABcZeBMRYRoMVLr937=9T4dyVGzGHYapcrTRZ7nYghdAqzhqOQ@mail.gmail.com> <CADZyTknZTcYXb1JbYANh4uk5xgAedNGnM93y9QORJ2vYR5eJxw@mail.gmail.com> <CABcZeBOqZLpJ1_2-wFae3bM2RvrnA1z++swxfq7xc8E7Ny5ZfQ@mail.gmail.com> <CADZyTkmD1MYuP0+JB5KS3cLQGe_koo=bu2s2CucHXS098xYAoQ@mail.gmail.com> <CABcZeBM7dZTm-_mi6+pPE2_OW=EH3pN4siHe1TXy6JfXW6H-jA@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org>
Date: Tue, 30 Jun 2020 00:51:40 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.21
MIME-Version: 1.0
In-Reply-To: <CABcZeBM7dZTm-_mi6+pPE2_OW=EH3pN4siHe1TXy6JfXW6H-jA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/-JL4oimZAJDK5g_VVC5BB-jda6g>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 07:51:46 -0000

i wasn't speaking, but i was addressed, so i will attempt an answer.

Eric Rescorla wrote on 2020-06-29 20:08:
> 
> 
> On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com 
> <mailto:mglt.ietf@gmail.com>> wrote:
> 
>     If the lookup takes as input the IP addresses or something provided
>     by the ISP (like the local resolver IP address), the resulting chain
>     is likely to be from the ISP. DNSSEC is needed to assert it. 
> 
> Why do you assume that the IP is delivered securely?

because dnssec allows me to verify end-to-end authenticity of 
name/address bindings (and other dns content.) while tls and ssh and 
gssapi add a useful second layer of end-to-end identify verification, 
those are not the only protocols i use.

>     Another way would be to be able to display example.com
>     <http://example.com>. The user should be able to see how the domain
>     is associated to the ISP it has subscribed to or if it is being
>     redirected to a cloud provider.  DNSSEC would make sur
>     the corresponding IP address - as well as other information - are
>     bound to the displayed domain.
> 
> At this point, why would I need DNSSEC? I could just use the WebPKI.

dns has always been used by protocols outside the web, and will always 
be used by protocols outside the web. but even in your web use case, 
there will always be uri schemes which lack end-to-end identity 
verification. some current examples can be found here:

https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

the web is a fish. the internet is a pond.

-- 
P Vixie

v2.23.0 | Report a Bug | By Email