IETF Logo Mail Archive

Re: [Add] Comparative DoH Discovery DNS RR Types

Daniel Migault <mglt.ietf@gmail.com> Tue, 30 June 2020 01:14 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 421063A0EFA for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 18:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2pwIunDtSA0 for <add@ietfa.amsl.com>; Mon, 29 Jun 2020 18:14:23 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 197603A0EF8 for <add@ietf.org>; Mon, 29 Jun 2020 18:14:23 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id s20so2921109vsq.5 for <add@ietf.org>; Mon, 29 Jun 2020 18:14:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CLshK/wd2GUUj3J0BNMklcJjg5VrU5yOLs4R9FeJ2nY=; b=JLYTnDMZJXfKXiMd/fOHavMHC0OwQxV+QIPrqG8FaBVELI1QY+YSTHiuBAC77ijQfe 7yfWD3ewm+V2JnCcEN/3TL6LoZQFzRwT8jVrO5ghcCwQK/CEsu58SQ3meQRhKp7X5XBo QRAJQZXEOjufuFOxXdaq7ingR1zeR6rpEETA2CrjaO2pzeYA4Q6AbKZjod2K6H4cs7bX oGlm69QgT+oDplY6TYLeH79lzr220n036bdP96oaVDBNG+bKs+X2kER+6ZUN4TYJun9t k4vcPTVf30VFZNDT8GJFpMR90FeUsrWj41ATjJKU77bykWswBvKhD0o3rjSH0PkDyqYY 7tFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CLshK/wd2GUUj3J0BNMklcJjg5VrU5yOLs4R9FeJ2nY=; b=JjpGiY3Od5sFJEDCxwdlRrGSdepVGH7QYEIzD/j7qFobq6k0wWsASKdlhVQPhdcb3u JOA7k1tIpLlYHgbuGvf2yhHd5QHIUUCTN3NbaEceJHQXpE+BXUniufPsHhrm+6211SMF X2skl33jugdalJpdUxQTG1VvBFviPpgJL1DeEOc51pmbEk1gFK+yNb5vdpvcr9LVSP9T drNGdwfVyOoa3Pi16OmjHFkhO5uGHgoub+z6But26f9NTz7tPqptp/Yph1WAEpWwXtDj RsfHz07nsFHCmv0xx+/9fMBElrnl4dh8ViC9siSBY5lKqYYlHr4C5tMpHb1hjOBEhva9 QOiQ==
X-Gm-Message-State: AOAM530YNBjY6/3RdQpYRn/avhjDs7w576f0DfpKdu4rn4aTdMFeHMO4 ygqtHAEGfVDp++kmpMlAPqva9ZXBcLB9yiOCcnU=
X-Google-Smtp-Source: ABdhPJyjE4hpcA08M7U6MtA+gmBqEFegAK2gJGZILdbcrLNomFVhP5rxp4NFgETIGG3WnhcGeO/iVf9Y3KIhHW7gicI=
X-Received: by 2002:a05:6102:38c:: with SMTP id m12mr12516010vsq.31.1593479661998; Mon, 29 Jun 2020 18:14:21 -0700 (PDT)
MIME-Version: 1.0
References: <7325C546-587D-4CD9-8059-0887C33F3503@cable.comcast.com> <26559974.PdTMpzyJZD@linux-9daj> <18350.1593475069@localhost>
In-Reply-To: <18350.1593475069@localhost>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 29 Jun 2020 21:14:11 -0400
Message-ID: <CADZyTkk4ZqAyRAREBbU9+T8Yr0GUrjhAkVjHqnV-JAcgkf4gwA@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Paul Vixie <paul@redbarn.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000035d7d705a942e562"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/nZ--vWqD0iGQVO7WvP2QrAtRs7s>
Subject: Re: [Add] Comparative DoH Discovery DNS RR Types
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 01:14:26 -0000

I agree that new RRtypes can be added but I am not convinced we need new
ones for the discovery. What is unclear to me is the use of  HTTPS as
opposed to SVCB for the DNS optionally over HTTP and most of the time over
TLS. I have the feeling that alpn could be used to determine HTTP.

That said RRtype are one aspect but I believe that we should also
agree/discuss what we expect from the discovery. Here are my thoughts on
what the discovery should achieve:

   REQ 1: DRDP MUST enable a DNS client to discover the available
   resolving services with their associated characteristics in order to
   proceed to a selection process.  The selection process takes
   resolving services identities and associated parameters and proceeds
   to the selection.
   Any sort of resolving service selection is outside the scope of DRDP.

   REQ 2: While the discovery process is triggered by the DNS client, a
   third party MUST be able to provide necessary input information so a
   resolving service discovery process can be triggered within a
   specific context.
   Provisioning protocols to provide this information is not as per say
   in scope of DRDP.  DRDP defines the format of the format for such
   input as well as a set of such inputs.

   REQ 3: Any information used in DRDP MUST be authenticated by its
   owner.  In particular, the characteristics associated to the
   resolving service MUST be certified by the resolving service operator
   / owner and MUST be associated a validity period.  In addition, a
   third party providing a set of inputs MUST authenticate that set.

   REQ 4: Information associated to the resolving services is intended
   to enable the selection process that is assumed to match the end user
   or application policy.  The selection process is out of scope of
   DRDP.  Information may carry some characteristics of a resolving
   service or hints that will help the selection.  In particular an
   operator of multiple resolving service MUST be able to associate a
   preference to the proposed resolving services.  To ease automation of
   the selection as well as to make multiple applications benefit from
   DRDP the information MUST be carried over a standardized format.


   REQ 5: DRDP MUST be designed to be used indifferently by a DNS client
   using any DNS transport protocol (Do53, DoT, DoH, ...).  However,
   DRDP SHOULD be able to restrict the information retrieved to a
   certain type of resolving service, i.e. Do53, DoT, DoH.

   REQ 6: DRDP deployment MUST NOT be disruptive for the legacy DNS
   client or infrastructure and legacy client SHOULD be able to
   incrementally include DRDP.


[1] https://datatracker.ietf.org/doc/draft-mglt-add-rdp/

Yours,
Daniel

On Mon, Jun 29, 2020 at 7:58 PM Michael Richardson <mcr@sandelman.ca> wrote:

>
> Paul Vixie <paul@redbarn.org> wrote:
>     >> Just noting far we have a variety of suggestions on CNAME, URI,
> TXT, RESINFO
>     >> and HTTPSSVC (though I don’t think all have I-Ds as yet) - always
> nice to
>     >> see the ideas flowing. :-) As a practical person that in IETF land
> is
>     >> considered an implementer, I naturally feel inclined towards RR
> types that
>     >> already exist as this enables something to be rapidly deployed.
>
>     > the community apparently lacks coherence on the importance of rapid
> deployment
>     > as compared to the importance of technical excellence. if we're not
> going to
>     > add any more new RR types because they take ten years to become
> usable (see
>     > the SPF RR vs. the later _spf TXT RR), we should say that, and close
> the RR
>     > type registry, so as to avoid confusing newcomers.
>
>     > if on the other hand we're going to continue to evolve DNS in ways
> that
>     > include adding new RR types, and all the initiators who are stuck
> behind
>     > dumbass middleboxes who reject or butcher unknown RR types are going
> to fail
>     > hard and be excluded from the new applications and protocols in
> order to put
>     > more pressure on middlebox users/makers/distributors, we should say
> that.
>
>     > either way, nothing is temporary. whatever we use for resolver
>     > discovery will
>
> I'm with Paul. I prefer creating new RR types.
> There aren't that many dumbass middleboxes around, and those that are
> there,
> are usually put there intentionally, and they deserve what they get.
>
> I was among the first who did that back in 2002, and it wasn't that hard.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email