[Add] comments / question regarding draft-cook-doh-discovery-trial
Daniel Migault <mglt.ietf@gmail.com> Wed, 25 November 2020 19:43 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58A4E3A1BE9 for <add@ietfa.amsl.com>; Wed, 25 Nov 2020 11:43:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60o-HSVbZAVk for <add@ietfa.amsl.com>; Wed, 25 Nov 2020 11:43:22 -0800 (PST)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C602F3A1BEC for <add@ietf.org>; Wed, 25 Nov 2020 11:43:22 -0800 (PST)
Received: by mail-qk1-x72a.google.com with SMTP id y197so5834270qkb.7 for <add@ietf.org>; Wed, 25 Nov 2020 11:43:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Wgj/msq8PIsb18CRNLAV38PPunJzFLk1uB2iZgiuWSA=; b=ZhNo14I7D0Ppv1tM7RssNlT2cN+owkqyGLldRc/0ovCAuGoC6LJXT75em9AvQqZjk3 U5AArW3QLj/KAE287oN6HI1Vx2X/VBDFLeKwmjtpaTLMYITJMEY6ADGVvzOjVyIbscKy FPJvy+OPDU2AdpwrXqE/D2mPXb/k83M/qqj4Bv0Ake3FJ+DFIz0n+wN9xR/bUL8uQ0D+ 2nb4mTQBt42hPN+WMKrYkAeRKTUGxVK+38C79zoW7FFdUxPXMvwelMq3rLFTFZjC0u9q Db6PA5bk1Wy+pdROnA1vqNPqM4s8WdOpLtFlvZKHiicEZZdTqlttiiB59eePc3e++LOi l7nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Wgj/msq8PIsb18CRNLAV38PPunJzFLk1uB2iZgiuWSA=; b=QsRwexsqR2/f/ldn8eeTTBhYiw7qbOCw8ZAwaNkxc3Buj6Ocn1VLgJXH3oWlyqoGub MtWVaLBvfPrgLglF6Y1BtlcYBP1QgHTH32242MRPLMmz1Cnihj4XQshUnr9B3qXQaGmj KqgAKRogWRTVWSXXubegUyT8ZfBvM5Q9+z9oFJN5q6on9eN/Yh5cer7R9bvUgbK12fSj B5iBZQ8PABCvz2OxyuUtdeCqrE+DQ0v/+kpfDC8lrVLwUK9ANGqJ5/NOjXrjf3XsaJx+ y+zXG7qNAsS2q2tDNHud7SSxlGYlfjrHqjxvDNA44fbdl6y1jctEt+Jtm6T3fCG3d9Qd 6vAQ==
X-Gm-Message-State: AOAM532/3y516W+I/sEQYA2CuH1rZFxduLhnQwnqrvkBtP3bplAtwglo ujGTuvgWXuG28NlYjpo4px1iFgCRgXrde0zTRXyp4sRd1pc=
X-Google-Smtp-Source: ABdhPJyrzWJ88zY1e15aITlihtlyHdXc5Da3JxgVr5Jdc8ZHDvbYk5/ujh7rgEqvXFDfgCR4lnXSldQLT1oB02Q96vI=
X-Received: by 2002:a37:4a88:: with SMTP id x130mr479241qka.69.1606333401634; Wed, 25 Nov 2020 11:43:21 -0800 (PST)
MIME-Version: 1.0
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 25 Nov 2020 14:43:10 -0500
Message-ID: <CADZyTknu57Wu_4LjBvELs-osZ-KZU-2U8MrteyhqeMfkFK3AXw@mail.gmail.com>
To: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cb9b4205b4f3a35f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/L1HSqNvqdM0feqIXz7KQaxXlqMM>
Subject: [Add] comments / question regarding draft-cook-doh-discovery-trial
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 19:43:24 -0000
Hi, I am commenting quite late on the document, but I have a suggestion and would be happy to hear your feed backs. Overall I like the mechanism, but I would like to avoid the use of SUDN as it prevents the use of DNSSEC. If the resolver is being advertised by its IP address, I would rather rather derive the query from that IP. A FQDN based on <ip>.in-addr.arpa (<ip>.ip6.arpa could fulfill such condition which provides the following advantages: * it does not require the creation of another SUDN. * it does not require to handle a special case for the resolution and instead proceed to standard and unchanged DNS resolution which makes it work with any currently deployed DNS software. * the mechanism works for resolver, and authoritative server proving DoH. * DNSSEC can be used to protect against spoofed attacks including NXDOMAIN responses. * DNSSEC can be used to delegate securely to a third party DoH resolver by providing the certificate used in the TLS session. When used with private IP addresses [rfc6303], the DNSSEC key used to sign the forward and reverse zone needs to be provisioned or learned with TOFU mechanisms - which remains better than none. With these benefits, the implementation on CPE is not much difficult than responding dohresolver.arpa. One difference is that the data associated with the IP address is hosted on the authoritative server, while in the current proposal, it is the entity receiving the data (authoritative or resolver). In both cases, the association is the IP address value. In most CPE deployment, this does not represent a huge change as the CPE hosts the internal data as well as plays as a resolver. There is only NAT that I see causing potential issues. Yours, Daniel -- Daniel Migault Ericsson
- [Add] comments / question regarding draft-cook-do… Daniel Migault