IETF Logo Mail Archive

Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers

Martin Thomson <mt@lowentropy.net> Tue, 30 June 2020 09:08 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 746863A111A for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 02:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=EfJP4WOV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nbdedrjf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oF1qF-Mf1pyL for <add@ietfa.amsl.com>; Tue, 30 Jun 2020 02:08:06 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DD3E3A10D9 for <add@ietf.org>; Tue, 30 Jun 2020 02:08:06 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 95F24825 for <add@ietf.org>; Tue, 30 Jun 2020 05:08:04 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Tue, 30 Jun 2020 05:08:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=oMS3a gvWtanOeLuBM1Jni2cfRi26S9k5eT/1gpXx0E0=; b=EfJP4WOVuQN7CR412WGPL D6M7ufPrMiG7Z8WfqIoW3SLSdYiTLROGqO8Vy+jW2YV26Z7UyemfswsmUYkRV6Du qGaJ2u5yrT4wf6cf7H6ZAx/oMytzK2LGV/RLKVOOWQMowUQGso7MM73jUoNDkCvb QKdvnAVRd8AEMehpvWUXYs3xoZ76Xk5V/pLSVljJu+X0d0Ky97eKHOLpGZ+b95O8 TJOkkP54vSKRjZGggQ22nIbAWFhyGpH9nbfu8aj0MyVxmXCJXn5M0oU40ILFaxad RYVqtqm3VyvY9IcuwqpxZPmXHG51zbdt/m6kTPwWZwm4f1J/72WXlNYCAlgKU3jD w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=oMS3agvWtanOeLuBM1Jni2cfRi26S9k5eT/1gpXx0 E0=; b=nbdedrjfvJvDvLK9VYjCvJm/4Twz8mFSvZlv17z+DDF5U5S7ghmaILuMR AA2gFiTAMXKTFbbwW1jTkiTIZIvSxS9Or4x27BawPBFnX+OP32LMXuP7yxRN1Qbs Tc7178K/nC1seXLEAK79nOzQHTVfkxBL26d+nRLFe+SVC+tQtqi6uXAG+x/rtwKM gUwmdka913fopd/81qGFBdpWz9CGjk9BcAdUlK9bpwLXwFHv25yzCmyGxPcmYsBW qjzFGdou3+Qx9n0fVGu5WaFSrpcR7vLbINx9Y6v7x/mHsyfkxyOG171tshc1ryaz z5cH2DK1muWMQtJvDlADAF7+CvEqg==
X-ME-Sender: <xms:9AD7XiMD3SMF9d4XSo5s7_AP8IvRuHqYYTQxjsTgX8oKfu2AA6DWqw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrvddtuddgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepgfejueduieffledtge elheejvdettdejudduhefggeefgfekgfeuieetgefftddtnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnh gvth
X-ME-Proxy: <xmx:9AD7Xg_kJVzBZgzUl6GapXaz73zGluQiyiNo5MeMiV5G9goWUMpQ_Q> <xmx:9AD7XpTsO35Z_HtxrNoXOY30YfwtRAEbUWJ38izjNrypn-6ufdFJ7Q> <xmx:9AD7XisfZEv2ROd0oxzCbH9bWhHcatizqfAUY6PorO8UVqVQemAmdw> <xmx:9AD7Xp-xx4zQaxNCR9YgeILlEcvIkshTMstBFj79-9CEkJPGB-5mig>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id F2131E00E3; Tue, 30 Jun 2020 05:08:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-576-gfe2cd66-fm-20200629.001-gfe2cd668
Mime-Version: 1.0
Message-Id: <668384b7-90f5-4ff1-b9e2-d0257aee731d@www.fastmail.com>
In-Reply-To: <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org>
References: <CABcZeBPTkWeB40wpTowKvEJ-gXA3AL2e-BE+C_FC7Js7-D0DZQ@mail.gmail.com> <14119.1593367594@localhost> <alpine.OSX.2.22.407.2006281428200.79151@ary.qy> <3615321.ADK9YsXCiF@linux-9daj> <CADZyTkm82y=H48e7TL+wBMN67jrCG2T96kHOdovX0Ds3m_nguw@mail.gmail.com> <CABcZeBMRYRoMVLr937=9T4dyVGzGHYapcrTRZ7nYghdAqzhqOQ@mail.gmail.com> <CADZyTknZTcYXb1JbYANh4uk5xgAedNGnM93y9QORJ2vYR5eJxw@mail.gmail.com> <CABcZeBOqZLpJ1_2-wFae3bM2RvrnA1z++swxfq7xc8E7Ny5ZfQ@mail.gmail.com> <CADZyTkmD1MYuP0+JB5KS3cLQGe_koo=bu2s2CucHXS098xYAoQ@mail.gmail.com> <CABcZeBM7dZTm-_mi6+pPE2_OW=EH3pN4siHe1TXy6JfXW6H-jA@mail.gmail.com> <bd78f54e-038d-9cff-b6a8-c9c6323ed5f5@redbarn.org>
Date: Tue, 30 Jun 2020 19:07:43 +1000
From: Martin Thomson <mt@lowentropy.net>
To: add@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/mIhex-tlKUM3bC4xAGe0Sh92Stc>
Subject: Re: [Add] [Ext] Draft Posting: CNAME Discovery of Local DoH Resolvers
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 09:08:07 -0000

Hi Paul,

On Tue, Jun 30, 2020, at 17:51, Paul Vixie wrote:
> Eric Rescorla wrote on 2020-06-29 20:08:
> > On Mon, Jun 29, 2020 at 8:05 PM Daniel Migault <mglt.ietf@gmail.com 
> > <mailto:mglt.ietf@gmail.com>> wrote:
> > 
> >     If the lookup takes as input the IP addresses or something provided
> >     by the ISP (like the local resolver IP address), the resulting chain
> >     is likely to be from the ISP. DNSSEC is needed to assert it. 
> > 
> > Why do you assume that the IP is delivered securely?
> 
> because dnssec allows me to verify end-to-end authenticity of 
> name/address bindings (and other dns content.) 

DNSSEC allows you to be sure of the veracity of what comes from DNSSEC, but in this case the IP address didn't come from DNSSEC.  It's not DNS content.

v2.23.0 | Report a Bug | By Email