Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Jun 30, 2020 at 10:19 AM Paul Hoffman <paul.hoffman@icann.org>
wrote:

> On Jun 30, 2020, at 5:58 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > The question I am addressing is what we ought to do in the interim.
> >
>
> Given that this discussion is happening on an IETF WG mailing list, the
> sub-question is who you mean by "we".


I'm talking about what this WG ought to do.

Earlier, you indicated that you were not necessarily proposing this for
> IETF standardization, and your draft is indeed informational, nor have you
> asked the WG to consider the proposal.
>
> If all that Firefox needs is a simple way for a resolver to reply with a
> key that Firefox can use to look up in its TRR list, the CNAME proposal is
> fine. For that matter, so would an A record where Mozilla assigns each TRR
> an arbitrary IPv4 address that is used as a key; this would avoid any
> problems with middleboxes that blocked CNAME queries. There doesn't seem to
> be any value to standardize such a proposal.
>

As I said before, I'm not asking for standardization of this proposal. I
posted it to document what it is that we do.

With that said, a number of the comments on this proposal have taken the
form of "this is inflexible because we want to carry information of type
X". I agree that that's technically correct, but the point that I am making
(and in fact one that I made when ADD was first chartered) is that
proposals that intend to carry other data (such as the URI template of the
resolver, for instance) need to document the threat model that they are
assuming and demonstrate that they provide some value in that threat model.
That would be true even if we had never submitted this document. What I
have seen so far seems insufficient.

-Ekr