[Add] ddr - SPKI question and comment on SNI section
Daniel Migault <mglt.ietf@gmail.com> Fri, 10 June 2022 16:12 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B28C15D865 for <add@ietfa.amsl.com>; Fri, 10 Jun 2022 09:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rM_gwXvZpiLB for <add@ietfa.amsl.com>; Fri, 10 Jun 2022 09:12:36 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C204AC1649DC for <add@ietf.org>; Fri, 10 Jun 2022 09:12:36 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 20so4082680lfz.8 for <add@ietf.org>; Fri, 10 Jun 2022 09:12:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=NHG+QAl9onC2h/ZwG4MWDbOdpMVYY8tcmNB04vqC7NY=; b=fKV078gl7gJk3VMbj3VwAWw2m3bKXPxtrTqv5csDP8GQsmUJGvxRdfHbjQ4/3HJZ6r zIpOgOPcrbiawMdBscGswjpiznunRjdssWp/T1cU1jd03L7cN3e31dkMQbHUfJiy2SJs oRUkTjts2evJj2fYVfhGfDpmkyFfNmG3001BrEfHkk+S1usp3V6a5wbXuUcDF7Fc9T8R xeXQuA0dAYbH7XhsKsrTT0aY2woe4GlVLpCCVLS/6jqeJUcTuwMcUhIUtYWKYDZd6rGN yuAoDhk4rrAosFqoBDrjQC/Pi8pTcuhsoz1DLYdVTemQH6N1qb+vgJp3+qj8pPUAQ1oK ymzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NHG+QAl9onC2h/ZwG4MWDbOdpMVYY8tcmNB04vqC7NY=; b=pnxh0Nvd2TxLqzxssmpR0ppiR9LVUJGr3LJLGnynouYmAKN9zvMYmY0W+V/925Xw7M HjWgqeLixkWRxP27K9ap4Z9A2jNIYVJDmB9HTp1Kqsnn6ldlX/GX3piNopkgYfO1iC4+ 1kFowXw8RzFTbVlxy+zPJcDnlbZFP2wEQt4YxRLiRr2esbEUCUYx2o7HM3VmnC263Ov+ HReg47Y8VnNuEhFL/YsDPlUeXov+8nGLC62KXNpbTe27jdAW5UOmQCbDnbqlKT0bE1d/ 8E9XPcRTDJeCEtM0SZJLOrkjH5Ii0bAJp9+txyVMNA2SGFcdelJy6yeiiJOedXVF1euX hnGw==
X-Gm-Message-State: AOAM530S+HiC80RurybJf14xf3WxIhEX4BM6skLvNAKn1mA154kanO1C /jvGMyBdZTjdMDGd3XTN9xsQKf0Y5gGUR4kcGyj8WlTkcs7Y3A==
X-Google-Smtp-Source: ABdhPJwmauXAZQ+2Yvmx8eWrYxnDQSUxd3l/IyxuO4TV+i1iM+FgIZY6siRMKrEyaqfTIL5xtF8r7al764e7EpvEsI4=
X-Received: by 2002:a05:6512:2806:b0:47b:57ad:4ffd with SMTP id cf6-20020a056512280600b0047b57ad4ffdmr6985715lfb.601.1654877554768; Fri, 10 Jun 2022 09:12:34 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 10 Jun 2022 12:12:23 -0400
Message-ID: <CADZyTknbTihDjB715fqoyLueFHF-CwM5YjHghZwXQNpagyEMKw@mail.gmail.com>
To: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc7e6e05e11a3436"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/TAuSazMDaBZsFrTF7koHZEddJss>
Subject: [Add] ddr - SPKI question and comment on SNI section
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 16:12:37 -0000
Hi, We are considering different ways to configure DoE clients. RFC 7858 indicates the use of SPKI Fingerprints in an analogous manner to that described in RFC7469. I am wondering if anyone is aware of implementation considering SPKI Fingerprints for or if such usage is not something we would like to deprecate. Additionally, I was wondering how DoE can be performed without an hostname and its associated SNI and went through 6.3. 6.3. Server Name Handling """ When performing discovery using resolver IP addresses, clients MUST use the IP address as the URI host for DoH requests. """ The text can be read as when ddr is performed as described in section 4, DoH request place the IP address in the URI. I think the text is willing to say when ddr requests are performed using DoH, but once ddr is done, the hostname provided by ddr must be placed in the URI, but I think that could be clarified. """ Note that since IP addresses are not supported by default in the TLS SNI, resolvers that support discovery using IP addresses will need to be configured to present the appropriate TLS certificate when no SNI is present for both DoT and DoH. """ I am wondering what "will need" means MUST or SHOULD ? As I see it, SNI causes an issue for client only configured with an IP address when they are willing to perform DDR over an encrypted DNS. In this later case, it seems that a user that checks if the IP supports DoE to discover the assigned DoE seems a bit like an opportunistic (pre)-discovery - obviously different from section 4.3. In addition, when the TLS session can be established, there is no obvious rea sons to proceed further to ddr. The way I perceive the section on SNI is to provide some recommendations on the resolver side to handle more possible scenario. It might also be good to add the client perspective and recommend that clients be configured with the host name to increase the chance of a working SNI - and this extension should be enabled by the client. There are cases where multiple unencrypted DNS resolvers (with different IP addresses) share a designated encrypted DNS. My reading of section 4.2 is that this case is covered properly. I am raising the use case just in case someone sees an issue somewhere. -- Daniel Migault Ericsson
- [Add] ddr - SPKI question and comment on SNI sect… Daniel Migault
- Re: [Add] ddr - SPKI question and comment on SNI … Tommy Pauly
- Re: [Add] ddr - SPKI question and comment on SNI … Ben Schwartz
- Re: [Add] ddr - SPKI question and comment on SNI … Daniel Migault