IETF Logo Mail Archive

Re: [Add] Comparative DoH Discovery DNS RR Types

Tommy Pauly <tpauly@apple.com> Mon, 29 June 2020 22:22 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC243A0D88 for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 15:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuM6iyxY0SpI for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 15:22:31 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDB873A0D83 for <add@ietf.org>; Mon, 29 Jun 2020 15:22:26 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 05TMMCu9003809; Mon, 29 Jun 2020 15:22:25 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=bx2xhrB1iEEctond4pzcLITEL7CTtuMp4xTsSx/plJk=; b=GMGD4Y/4edvfMSKEy4I9gU1bqdrVRIpE2jSVu7U3WesnWBYyr0uU8OuOjmb7bc2+zVBv hmt3NVx8HISk6LoUlVoq/Sq/L6iZJjrNVzaqRaaRfdWUNoHc70wUu/NQG94HzCK0uRIj 3pEao8AnekyEhLc8IDP73ubnzGjH3BvrDIBI1Re0N4OmiIwxKSdCJXQtNNTu1pAHOFxV yDGSQ1rjTibtIUInIPP33Trwe2WhDpsRePzZ6K4JSSlyS0wZEf8st6zRBwf5OtQb6Asl 9QC7lapLRFXHsi7EGhgbHCCMX4jxvqE/Mj7feAWUaMPLDX9hoctmck3hXm142dc4Xaoy Uw==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by nwk-aaemail-lapp02.apple.com with ESMTP id 31x2ph38d9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 29 Jun 2020 15:22:25 -0700
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0QCP009WNKTDCVI0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Mon, 29 Jun 2020 15:22:25 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0QCP00U00KRLDU00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 29 Jun 2020 15:22:25 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 7e7bcd67fbc9a0a620034c2bd87f55e5
X-Va-E-CD: bb95b336d3f7616b03bf913e46b62926
X-Va-R-CD: 24e8aabca2796a6e72c0139df6f009e8
X-Va-CD: 0
X-Va-ID: 11e068a0-ad9d-4a8a-93bc-b93194b79d27
X-V-A:
X-V-T-CD: 7e7bcd67fbc9a0a620034c2bd87f55e5
X-V-E-CD: bb95b336d3f7616b03bf913e46b62926
X-V-R-CD: 24e8aabca2796a6e72c0139df6f009e8
X-V-CD: 0
X-V-ID: 466b375b-27c1-4dc9-9189-4c281cc1d27b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-06-29_21:2020-06-29, 2020-06-29 signatures=0
Received: from [17.232.189.109] (unknown [17.232.189.109]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0QCP00H8RKTCAM00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 29 Jun 2020 15:22:25 -0700 (PDT)
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.80.7.2.3\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <26559974.PdTMpzyJZD@linux-9daj>
Date: Mon, 29 Jun 2020 15:22:23 -0700
Cc: ADD Mailing list <add@ietf.org>
Content-transfer-encoding: quoted-printable
Message-id: <D2C141AA-E677-480F-ABB2-62B21EB2ADFE@apple.com>
References: <7325C546-587D-4CD9-8059-0887C33F3503@cable.comcast.com> <26559974.PdTMpzyJZD@linux-9daj>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.3608.80.7.2.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-06-29_21:2020-06-29, 2020-06-29 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/GdkMjxCivMpvIyNG0t4Hz4Gp6HI>
Subject: Re: [Add] Comparative DoH Discovery DNS RR Types
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 22:22:33 -0000


> On Jun 29, 2020, at 2:01 PM, Paul Vixie <paul@redbarn.org> wrote:
> 
> On Monday, 29 June 2020 15:36:42 UTC Livingood, Jason wrote:
>> Just noting far we have a variety of suggestions on CNAME, URI, TXT, RESINFO
>> and HTTPSSVC (though I don’t think all have I-Ds as yet) - always nice to
>> see the ideas flowing. :-) As a practical person that in IETF land is
>> considered an implementer, I naturally feel inclined towards RR types that
>> already exist as this enables something to be rapidly deployed.
> 
> the community apparently lacks coherence on the importance of rapid deployment 
> as compared to the importance of technical excellence. if we're not going to 
> add any more new RR types because they take ten years to become usable (see 
> the SPF RR vs. the later _spf TXT RR), we should say that, and close the RR 
> type registry, so as to avoid confusing newcomers.
> 
> if on the other hand we're going to continue to evolve DNS in ways that 
> include adding new RR types, and all the initiators who are stuck behind 
> dumbass middleboxes who reject or butcher unknown RR types are going to fail 
> hard and be excluded from the new applications and protocols in order to put 
> more pressure on middlebox users/makers/distributors, we should say that.

Agreed on both points.

To that end, one of the reasons I like using HTTPS RR (aka HTTPSSVC) for the ADD information is that this RR type, while new, is tied directly to the deployment of TLS Encrypted Client Hello (ECH). Improving the privacy of names on a network requires, ultimately, both encrypted DNS *and* encrypted SNIs in the client hello.

Of course, a client could only expect to do ECH when it already has encrypted DNS set up, but I’d prefer that the architecture not design for that case. We should have a system that allows to discover local encrypted resolver support, and even do ECH to hosts private to a local-network. There will indeed be networks or middle boxes that butcher this, but they also could be butchering other aspects that would stop the local network from upgrading from Do53 to DoT/DoH.

Tommy

> 
> either way, nothing is temporary. whatever we use for resolver discovery will 
> be present as a data pattern and code path in all future software. improved 
> signal patterns and associated logic will live alongside the unimproved ones, 
> raising the bar for both short-term expedients and later improvement to be 
> "worthy of its coexistence cost". for clarity, that's a _very_ high bar.
> 
>> As all of these become documented a discussed a bit further - or even tested
>> experimentally - my humble suggestion is that it may be helpful for the WG
>> to develop a grid of all the options with their associated pros & cons.
> 
> such grid would be well informed by the attached graphic.
> 
> -- 
> Paul<complexity.png>-- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email