Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 27 April 2020 14:55 UTC
Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD2F3A0C29 for <add@ietfa.amsl.com>; Mon, 27 Apr 2020 07:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHKnqPTAYol6 for <add@ietfa.amsl.com>; Mon, 27 Apr 2020 07:55:25 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD693A0C28 for <add@ietf.org>; Mon, 27 Apr 2020 07:55:23 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id BC4C36A267; Mon, 27 Apr 2020 16:55:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1587999319; bh=KOk7q5CJIkFb2jBANNdEu9jNw8s9sDZPeuVKV7A2mFs=; h=Date:From:To:In-Reply-To:References:Subject:From; b=0BL92FKmJouVS1glGRMJXIbD02mWSNqh8hgzNPUmWO+3nRZp+2yH3364Y4gYNRyDs sHKt6jvPpdzV5JWZ40P9xoKKcpebcnVjHJdSODTNvC1NT78aSvQd9cUTuW+xkIOl8L aZ7JyBe22wG6rNDPy0JEeYFXbkN8NLRODWtUXJHOBhdOO6f1QtXbo2+IcM0OILLsi5 tKng/Cw6rgF27mek4WpnIzCOy0wJV2Ofvu/ineIhWudVaTxIdI//EL6ccknn/d/QDY z1i7jczgDidrvdZxcmqrCWYK5lHQiPocRJBEvcO90EXtc8H4SBjUg0t8L7aV38BZhP uJLQ27zRW4PlA==
Received: from appsuite-gw2.open-xchange.com (appsuite-gw2.open-xchange.com [10.20.28.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id AD6D83C0536; Mon, 27 Apr 2020 16:55:19 +0200 (CEST)
Date: Mon, 27 Apr 2020 16:55:19 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Paul Hoffman <paul.hoffman@icann.org>, ADD Mailing list <add@ietf.org>
Message-ID: <227920378.4548.1587999319612@appsuite-gw2.open-xchange.com>
In-Reply-To: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org>
References: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.3-Rev8
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rYWrS9Fy2p-Q9A0j9RV42z2TDBU>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 14:55:27 -0000
> Il 24/04/2020 18:45 Paul Hoffman <paul.hoffman@icann.org> ha scritto: > > Please let us know if you find these documents useful for the discussion of direct upgrade instead of discovery. Also, please let us know if we have missed any salient points. If so, we could ask the chairs to make these into WG documents. Thanks for doing this and I support adoption at least for the resinfo draft. On the resinfo draft, I want to support other comments saying that the HTTP-based mechanism should be removed. As an implementer, having two alternative methods means that you possibly have to implement and maintain both, doubling the work and the potential number of issues. I get the point that some clients already speak HTTPS and so why not use it, but there is the other point that all resolvers must speak DNS, so using DNS is the easiest path to widespread implementation on the server side. Not all resolvers will support DoH, so they would have to implement and run an HTTP server just to answer possible discovery queries, since there is no guarantee that even a client willing to speak DoT or DNS will not use the HTTP-based discovery mechanism. Even resolver platforms that implement DoH are often doing so by adding a separate layer of front-end HTTP termination servers that convert the messages into DNS queries to the actual resolver, so the resolver itself does not run an HTTP server over its own IP address (the one that the user's system already knows and that would go into the well-known URI), and would have to add one just to this purpose. Moreover, while the DNS-based mechanism can work with forwarders, including home network CPEs, the HTTP-based one would end up making the request not to the actual resolver but to the CPE. This would entail modifying all CPEs (which is a daunting task that takes years in most big operator environments) and having them relay the HTTP request in some way to the resolver platform (which needs to be implemented). The DNS-based mechanism, instead, is much more straightforward - it automatically follows the same path that the queries will follow, and so it will reach the correct resolver. Thanks for removing the reverse IP address in the queried domain name, which created problems in the CPE scenario above. I would still like to hear opinions on the classic "new RRTYPE vs TXT record" discussion, as I do not know whether adopting a new RRTYPE would hinder quick support, while TXT records can safely work right now almost in any scenario. Regarding the second draft: I think it would benefit from a presentation before commenting. Anyway, I was a bit surprised by the fact that it seems to prescribe an algorithm (though configurable) for clients to decide which transport to use. I would rather expect a mechanism that allows clients to retrieve a known unencrypted resolver's equivalent DoT and/or DoH endpoints, through any of the methods supported in draft-resinfo (though, as I said, I really hope we will just end up with the DNS one), and then, what the client does with that information is none of our business. Anyway, thanks for the work and I look forward to more discussion. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy
- [Add] Drafts on upgrading stub-to-resolver commun… Paul Hoffman
- Re: [Add] Drafts on upgrading stub-to-resolver co… Ben Schwartz
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Paul Hoffman
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] Drafts on upgrading stub-to-resolver co… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Ben Schwartz
- Re: [Add] Drafts on upgrading stub-to-resolver co… Vittorio Bertola
- Re: [Add] Drafts on upgrading stub-to-resolver co… tirumal reddy
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth