Re: [Add] Encrypted DNS support in iOS and macOS

Tommy Pauly <tpauly@apple.com> Sat, 27 June 2020 15:40 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C4D3A07AB for <add@ietfa.amsl.com>; Sat, 27 Jun 2020 08:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvAj3SB8c0yC for <add@ietfa.amsl.com>; Sat, 27 Jun 2020 08:40:46 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42D773A07AA for <add@ietf.org>; Sat, 27 Jun 2020 08:40:46 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 05RFaNil015036; Sat, 27 Jun 2020 08:40:43 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : content-transfer-encoding : from : mime-version : subject : date : message-id : references : cc : in-reply-to : to; s=20180706; bh=Oemyt/7CY2GC0vlaxvxiSpH2I0vhQ3dTKUOT+9uKD34=; b=rTnHP/VhY2/1n7ZIbaP5/0jZ2yY3InmhwClLAmtzIGICTrSkbsKA23x5W2GLNiXLBn+R nfFUl5mWnW6R4TDmTb7WOXyn4z/091XSKjdBnXRu/45ItfzW6RGPKhKELDvgzdMU4hw2 ibBOxJL/y7GKgmCngwxz92DxXpvomJeNXYcebx29kfeU6bLf4Q6/8UqF8c72KwClJd00 UgEvWZuVQxZmdlsrjrR56jR+ZJ+k0Kghn1PQzI6y+pG7xXupv5GVDumCKkHmtT67bf2b c39T4fUyd77zszF4hYRArEXKCAXcE7PiHpKyaArRGx2N+F1peSZ7M7xCr61pH1Eqe+g2 FA==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by nwk-aaemail-lapp01.apple.com with ESMTP id 31x51wk6q1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 27 Jun 2020 08:40:43 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0QCL00PV7CVVM490@rn-mailsvcp-mta-lapp03.rno.apple.com>; Sat, 27 Jun 2020 08:40:43 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0QCL00400CV4JC00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Sat, 27 Jun 2020 08:40:43 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 5e556cc4695c8eea5ebba601e8c34836
X-Va-E-CD: 8d219af0f322673eb814e7f9156c80e8
X-Va-R-CD: 414100da242e1445641903909a2349ad
X-Va-CD: 0
X-Va-ID: 169ef601-d682-4e12-88e2-fff6adb80957
X-V-A:
X-V-T-CD: 5e556cc4695c8eea5ebba601e8c34836
X-V-E-CD: 8d219af0f322673eb814e7f9156c80e8
X-V-R-CD: 414100da242e1445641903909a2349ad
X-V-CD: 0
X-V-ID: 9f251150-1065-4677-86a9-4e1890eed754
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-27_05:2020-06-26, 2020-06-27 signatures=0
Received: from [10.104.189.9] (unknown [10.104.189.9]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0QCL00MD9CVOEZ00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Sat, 27 Jun 2020 08:40:38 -0700 (PDT)
Content-type: multipart/alternative; boundary=Apple-Mail-16B42A5A-4ECD-4C54-AD92-082178D08413
Content-transfer-encoding: 7bit
From: Tommy Pauly <tpauly@apple.com>
MIME-version: 1.0 (1.0)
Date: Sat, 27 Jun 2020 08:40:33 -0700
Message-id: <178C62F1-3DFE-48F3-8F38-65EBCDF6EBDA@apple.com>
References: <CACJ6M15JSwZdZ2GN+TjxwW+rBpbZq12KdfnKd4gHXF8m6ppRzA@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
In-reply-to: <CACJ6M15JSwZdZ2GN+TjxwW+rBpbZq12KdfnKd4gHXF8m6ppRzA@mail.gmail.com>
To: "Chris Box (BT)" <chris.box.ietf@gmail.com>
X-Mailer: iPhone Mail (18A316a)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-27_05:2020-06-26, 2020-06-27 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/AxWQyU0qBdNvToe-DG4T_UmWKXA>
Subject: Re: [Add] Encrypted DNS support in iOS and macOS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 15:40:48 -0000

> On Jun 26, 2020, at 11:58 PM, Chris Box (BT) <chris.box.ietf@gmail.com> wrote:
> 
> 
> Tommy,
> 
> These details are incredibly helpful so I appreciate you sharing them.
> 
> I’m uncertain about automatic discovery though. You say:
>> 
>> The system isn’t doing any automatic use of locally-hosted DoH/DoT servers at this point.
> 
> But this would appear to conflict with:
>> 
>> If connections to the automatically discovered DoH resolvers fail, the system currently fails over to use traditional DNS.
> 
> In the beta, are automatically discovered resolvers used, or ignored?

The system doesn’t yet do any automatic DoH for *local* resolvers, such as upgrading from the ISP UDP resolver to an ISP DoH resolver. 

The automatic behavior the betas do have is for designating resolvers for specific domains using HTTPS RR. 

However, I’d expect that behavior for local discovery would be similar. Based on our draft, we’d like to explore using the same HTTPS RR format for local resolver upgrade. 

Best,
Tommy

> 
> Thanks
> Chris
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add