IETF Logo Mail Archive

Re: [Add] Thoughts on a DoH (and DoT) BCP?

<chris.box@bt.com> Thu, 25 July 2019 03:00 UTC

Return-Path: <chris.box@bt.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C21212012B for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 20:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rKa65xAmO9f7 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 20:00:03 -0700 (PDT)
Received: from smtpe1.intersmtp.com (smtpe1.intersmtp.com [62.239.224.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D10120026 for <add@ietf.org>; Wed, 24 Jul 2019 20:00:02 -0700 (PDT)
Received: from tpw09926dag17h.domain1.systemhost.net (10.9.212.41) by RDW083A010ED66.bt.com (10.187.98.36) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 25 Jul 2019 03:59:07 +0100
Received: from tpw09926dag17e.domain1.systemhost.net (10.9.212.17) by tpw09926dag17h.domain1.systemhost.net (10.9.212.41) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 25 Jul 2019 03:59:59 +0100
Received: from bwp09926082.bt.com (10.36.82.113) by tpw09926dag17e.domain1.systemhost.net (10.9.212.17) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 25 Jul 2019 03:59:59 +0100
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (104.47.20.55) by smtpe1.intersmtp.com (10.36.82.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 25 Jul 2019 03:59:58 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eNSRmTWfyscxgqTpOR2mPOSELilynDlTYHg/IY5ozdjbtbE6Lk0JMYfZTsif6H67UDrxhHU9VfEWIaNbrfE5RwJPQ4x8U+3K11WmqdG99s1wFwqz62NGfCtgkp8Az6cTdfH+GyCQxDSnucW1jj3i8iNREXp3AyQgx6iIIKVqOjO9E83mP1SDbyyklSdUNeGHym/qtUEtx+2ghnjcv7aNzFINbnKP7SpdIoEsIthyMjt9VTWLLoGGMwwJ9t9bhuVRFaSD3BwwXgnicrQgf+mMq1aSFDy7yaoww3V5DJxgpbOge6MS/L2lbFlqwfnXXmjacHxUKdV84HKn2U99ZqXhRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H926xNt0PWQr2Wb7QCisdTqeUaVX7+mdnoOT31ZSaSQ=; b=Gt0TjLmHPsrbsu8C6DGRvv/ZBg+2H+39/OwQ2w237pSKWjVTzDQi1ul6CTeztX+Jj4qkM7hWzSD7mvkDFAtH3xeemsBLBxUnoiWulv3LQy4IWKS72Qu1XHgGtz86eC1YhbECaiOTsyDplRJNZzlaqc0urAxrc1oHTKTmVIN+0ILfqb23bTAm05G32US5v3Tlb8416QVSsyQecYLLAuWLhLQtSYJyQV0YVtIb24NA256mA51Ro8dDBbXQwDU8I3BG4o7RPbaDZjZDrfBnlN8WwugMApxFQqaebGtxbaWJJ+FYCUwaCkxi//VDF1B07lIbXf8vnl3wdlT6zCALiZPBWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=bt.com;dmarc=pass action=none header.from=bt.com;dkim=pass header.d=bt.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bt.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H926xNt0PWQr2Wb7QCisdTqeUaVX7+mdnoOT31ZSaSQ=; b=ddr+ZEFVr2ZcxXP8EIAWWibHJfqkDwufoKmdU83f2E0kUXgj6CSRVqTJDAcU2Ihk13DQNomt+ifxUs6Q1gFvbTbDiuVE4yJN2ydT0BQz8GPYZ1XKH9K5jR8IKa0lSGVpk/j1bwBCmQ/TfYXFLzRVtG7K+zTbqnSuJ4+1SaQumC8=
Received: from LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM (20.176.158.15) by LO2P123MB2350.GBRP123.PROD.OUTLOOK.COM (20.176.156.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Thu, 25 Jul 2019 02:59:58 +0000
Received: from LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM ([fe80::4061:47b7:52f1:6836]) by LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM ([fe80::4061:47b7:52f1:6836%3]) with mapi id 15.20.2115.005; Thu, 25 Jul 2019 02:59:58 +0000
From: chris.box@bt.com
To: add@ietf.org
Thread-Topic: [Add] Thoughts on a DoH (and DoT) BCP?
Thread-Index: AdUx1uEEFvBhHUWqSHedXSRbiDMGggQJZbkQABjS84AAANIqwA==
Date: Thu, 25 Jul 2019 02:59:58 +0000
Message-ID: <LO2P123MB225667A40F5E8C7DD38880F29BC10@LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM>
References: <LO2P123MB2462DEB5330C313055D62CC396FB0@LO2P123MB2462.GBRP123.PROD.OUTLOOK.COM> <30950_1563958271_5D381BFF_30950_9_1_B5939C6860701C49AA39C5DA5189448B939E9268@OPEXCAUBMA1.corporate.adroot.infra.ftgroup> <20190724203835.GB5078@laperouse.bortzmeyer.org>
In-Reply-To: <20190724203835.GB5078@laperouse.bortzmeyer.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=chris.box@bt.com;
x-originating-ip: [2001:67c:1232:144:1152:6a76:9cd5:4223]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 38edc6b9-e8c2-4729-3c06-08d710ac2dc9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2P123MB2350;
x-ms-traffictypediagnostic: LO2P123MB2350:
x-microsoft-antispam-prvs: <LO2P123MB23502F07EA13E8388E1B88199BC10@LO2P123MB2350.GBRP123.PROD.OUTLOOK.COM>
x-antispam-2: 1
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(366004)(376002)(346002)(39860400002)(13464003)(199004)(189003)(53936002)(55016002)(6436002)(76116006)(6506007)(478600001)(52536014)(86362001)(102836004)(14454004)(5660300002)(6246003)(64756008)(7736002)(305945005)(2501003)(2906002)(53546011)(229853002)(5640700003)(66946007)(66446008)(66476007)(74316002)(66556008)(2351001)(186003)(99286004)(7696005)(76176011)(33656002)(6116002)(9686003)(316002)(446003)(8676002)(81166006)(81156014)(1730700003)(8936002)(6916009)(486006)(68736007)(46003)(11346002)(256004)(71190400001)(71200400001)(476003)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2P123MB2350; H:LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: bt.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: i6ElaOXQHroa5vQFaxivtV75c5cYNP5ntqVWyFyXp3ihvvhkbxikEGqVWDDuSICG+MPmRqMIGncFiWZc2uG5OarGR7sSU3nAQZzwZMN1sK7LSi+08oKd4CuRT1zoGvLlyNMaVCf6ZJNkDVuL4s1VcRDHqSllM1F/n6UmuhcuD6e+CMQ/Ej67OpBBqqAz6s8JpGmD7BVBIm9p3rx/D1F/ScaI817NvuELLViwINMOIe/UakPft9z/qeQqsC0/Oq2be9MVn3H8LU6knnUvZW4E6yIBjvy+ys9kiXw2rSWwvOErKKw52QV4neJXlvsZTsjPQXpzo2UznOQzl2zIkYppJPEnkFVolBQFj9/YJljVmos+8GYMMUe9PzrQgHJnGByj5mRtsnzTim0zkq212tBc+UgDoP+1feTAHxZyafW1KFo=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 38edc6b9-e8c2-4729-3c06-08d710ac2dc9
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 02:59:58.3427 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a7f35688-9c00-4d5e-ba41-29f146377ab0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: chris.box@bt.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB2350
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0.2
X-NAI-Spam-Report: 5 Rules triggered * 0.1 -- GEN_SPAM_FEATRE * 0.1 -- THREAD_INDX_INVALD_VAL * 0 -- EDT_SDHA_ADR_FRG * 0 -- EDT_SDHA_DMN_FRG * 0 -- RV6597
X-NAI-Spam-Version: 2.2.0.9309 : core <6597> : inlines <7126> : streams <1828341> : uri <2872240>
X-OriginatorOrg: bt.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/4Cdps4RVahQF4eIH0-OGJXP4jKU>
Subject: Re: [Add] Thoughts on a DoH (and DoT) BCP?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 03:00:06 -0000

As Jim mentions, the core DoH protocol is done.
But Stephane (below) raised authentication of resolvers, saying that was also done. Is it?

RFC8484 simply says that RFC2818 authentication occurs, i.e. that the certificate matches the name in the configured DoH URI template.

If this DoH URI template was automatically discovered from the local network, and has the name dns.mcdonalds.com, how is the client system to know that the user trusts McDonalds? It feels like there's a step missing where the user grants trust to particular providers. Unless it is documented somewhere that I haven't seen.

Chris

-----Original Message-----
From: Stephane Bortzmeyer <bortzmeyer@nic.fr> 
Sent: 24 July 2019 16:39
To: philippe.fouquart@orange.com
Cc: Fidler,AJH,Andy,TQG R <andrew.fidler@bt.com>; Box,C,Chris,TLW1 R <chris.box@bt.com>; add@ietf.org
Subject: Re: [Add] Thoughts on a DoH (and DoT) BCP?


Part of it is already done. For instance, the message you quote mentions "authentication requirements for DoH and DoT resolvers" which are already covered in the RFCs standardizing DoTH.

v2.23.0 | Report a Bug | By Email