Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
Paul Vixie <paul@redbarn.org> Tue, 30 June 2020 07:51 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7D13A10DA for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 00:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id my3ScvhB3RD9 for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 00:51:45 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26C903A0FD8 for <add@ietf.org>; Tue, 30 Jun 2020 00:51:45 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:5d52:d153:4eaa:f6b] (unknown [IPv6:2001:559:8000:c9:5d52:d153:4eaa:f6b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id C399FB0588; Tue, 30 Jun 2020 07:51:42 +0000 (UTC)
To: Eric Rescorla <ekr@rtfm.com>
Cc: Daniel Migault <mglt.ietf@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, ADD Mailing list <add@ietf.org>, John R Levine <johnl@taugh.com>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <14119.1593367594@localhost> <alpine.OSX.2.22.407.2006281428200.79151@ary.qy> <3615321.ADK9YsXCiF@linux-9daj> <CADZyTkm82y=H48e7TL+wBMN67jrCG2T96kHOdovX0Ds3m_nguw@mail.gmail.com> <CABcZeBMRYRoMVLr937=9T4dyVGzGHYapcrTRZ7nYghdAqzhqOQ@mail.gmail.com> <CADZyTknZTcYXb1JbYANh4uk5xgAedNGnM93y9QORJ2vYR5eJxw@mail.gmail.com> <CABcZeBOqZLpJ1_2-wFae3bM2RvrnA1z++swxfq7xc8E7Ny5ZfQ@mail.gmail.com> <CADZyTkmD1MYuP0+JB5KS3cLQGe_koo=bu2s2CucHXS098xYAoQ@mail.gmail.com> <CABcZeBM7dZTm-_mi6+pPE2_OW=EH3pN4siHe1TXy6JfXW6H-jA@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org>
Date: Tue, 30 Jun 2020 00:51:40 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.21
MIME-Version: 1.0
In-Reply-To: <CABcZeBM7dZTm-_mi6+pPE2_OW=EH3pN4siHe1TXy6JfXW6H-jA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/-JL4oimZAJDK5g_VVC5BB-jda6g>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 07:51:46 -0000
i wasn't speaking, but i was addressed, so i will attempt an answer. Eric Rescorla wrote on 2020-06-29 20:08: > > > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com > <mailto:mglt.ietf@gmail.com>> wrote: > > If the lookup takes as input the IP addresses or something provided > by the ISP (like the local resolver IP address), the resulting chain > is likely to be from the ISP. DNSSEC is needed to assert it. > > Why do you assume that the IP is delivered securely? because dnssec allows me to verify end-to-end authenticity of name/address bindings (and other dns content.) while tls and ssh and gssapi add a useful second layer of end-to-end identify verification, those are not the only protocols i use. > Another way would be to be able to display example.com > <http://example.com>. The user should be able to see how the domain > is associated to the ISP it has subscribed to or if it is being > redirected to a cloud provider. DNSSEC would make sur > the corresponding IP address - as well as other information - are > bound to the displayed domain. > > At this point, why would I need DNSSEC? I could just use the WebPKI. dns has always been used by protocols outside the web, and will always be used by protocols outside the web. but even in your web use case, there will always be uri schemes which lack end-to-end identity verification. some current examples can be found here: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml the web is a fish. the internet is a pond. -- P Vixie
- [Add] Draft Posting: CNAME Discovery of Local DoH… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… John Levine
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy
- Re: [Add] Draft Posting: CNAME Discovery of Local… Tommy Pauly
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] Draft Posting: CNAME Discovery of Local… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… Patrik Fältström
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… John R Levine
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Martin Thomson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Daniel Migault
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- [Add] Threat models Paul Hoffman
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Vittorio Bertola
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… tirumal reddy
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Eric Rescorla
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Michael Richardson
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Paul Vixie
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Ted Lemon
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Tony Rutkowski
- Re: [Add] [Ext] Draft Posting: CNAME Discovery of… Rob Sayre
- Re: [Add] Draft Posting: CNAME Discovery of Local… Puneet Sood
- Re: [Add] Draft Posting: CNAME Discovery of Local… Eric Rescorla
- Re: [Add] Draft Posting: CNAME Discovery of Local… tirumal reddy