Re: [Add] [EXTERNAL] My single use case

Andrew Campling <andrew.campling@419.consulting> Mon, 14 September 2020 17:06 UTC

From: Andrew Campling <andrew.campling@419.consulting>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>, Daniel Migault <mglt.ietf@gmail.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] [EXTERNAL] My single use case
Thread-Index: AQHWirf4lWYNn860gkeJPDgecfdtaaloXF9w
Date: Mon, 14 Sep 2020 17:06:08 +0000
Message-ID: <LO2P265MB05739BE2C40AB97DCB8588F2C2230@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM>
References: <d4bd287a-d2ce-40cd-b635-4f74efbc77f6@www.fastmail.com> <DM6PR00MB07815F5B6F43F63DB23485A7FA271@DM6PR00MB0781.namprd00.prod.outlook.com> <CAHbrMsBduVj7fzutp9x7rYpXo6wLUK7-Pe4VvDHaF45dj==PYQ@mail.gmail.com> <CADZyTkmeYXNiL1yt1FUdKRS=mAmde4gkbu7wkn+HBFEPcdV-4g@mail.gmail.com> <2114958553.1165.1600102557668@appsuite-gw2.open-xchange.com>
In-Reply-To: <2114958553.1165.1600102557668@appsuite-gw2.open-xchange.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_LO2P265MB05739BE2C40AB97DCB8588F2C2230LO2P265MB0573GBRP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f5b8024-810b-41fa-2a60-08d858d07978
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2020 17:06:08.6106 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eSznUfH7uVJNHf7NBkAYn5wMp/7WCAn2dOTYXF/11YS+s7wQmTcyXhhGtIjjZHQ25V6CCVGzG1KZ1nvmxcPprGZqLV3M6i5Bk1ZQiagz+jA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO3P265MB2268
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RFDTG482QtkGivlhgmJ6tmoTgUg>
Subject: Re: [Add] [EXTERNAL] My single use case
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 17:06:13 -0000

On 14/09/2020 17:56 Vittorio Bertola <vittorio.bertola@open-xchange.com> wrote:

> For the use case of "same-provider auto-upgrade" as currently implemented, being sure that a given
> DoH resolver really corresponds to the currently active Do53 system resolver would suffice, even if
> you were not able to authenticate who is actually operating those two resolvers. (This is different
> from "same-provider auto-upgrade only for selected trusted providers", which requires a hardcoded
> list of trusted providers in the client, but as far as I understand the objective is to get rid of
> hardcoded lists altogether.)
>
> For this purpose, we could simply use a TLSA record. The Do53 resolver would provide a TLSA record
> together with the RESINFO/TXT/whatever response to the discovery query, and when establishing
> the DoH connection, the client would validate the certificate against the TLSA record. If you add
> DNSSEC to the Do53 communication, this should be a secure process. Could this work?

This seems like a reasonable proposal, especially with the addition of DNSSEC.

Andrew

[Add] My single use case Martin Thomson
Re: [Add] [EXTERNAL] My single use case Tommy Jensen
Re: [Add] My single use case Chris Box (BT)
Re: [Add] [EXTERNAL] My single use case Jim Reid
Re: [Add] [EXTERNAL] My single use case Robert Mortimer
[Add] Zone ownership in DNS server discovery Tommy Jensen
Re: [Add] [EXTERNAL] My single use case Ben Schwartz
Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
Re: [Add] Zone ownership in DNS server discovery Tommy Jensen
Re: [Add] Zone ownership in DNS server discovery Vinny Parla (vparla)
Re: [Add] [EXTERNAL] My single use case Martin Thomson
Re: [Add] My single use case Martin Thomson
Re: [Add] My single use case tirumal reddy
Re: [Add] Zone ownership in DNS server discovery tirumal reddy
Re: [Add] Zone ownership in DNS server discovery Vittorio Bertola
Re: [Add] Zone ownership in DNS server discovery Joe Abley
Re: [Add] My single use case Eric Rescorla
Re: [Add] My single use case tirumal reddy
Re: [Add] My single use case Eric Rescorla
Re: [Add] [Ext] My single use case Paul Hoffman
Re: [Add] [Ext] My single use case tirumal reddy
Re: [Add] [Ext] My single use case Eric Rescorla
Re: [Add] [EXTERNAL] Re: [Ext] My single use case Geist, Dan (CCI-Atlanta)
Re: [Add] [EXTERNAL] Re: Zone ownership in DNS se… Tommy Jensen
Re: [Add] [EXTERNAL] My single use case Tommy Jensen
Re: [Add] [EXTERNAL] My single use case Martin Thomson
Re: [Add] [Ext] My single use case tirumal reddy
Re: [Add] [EXTERNAL] My single use case tirumal reddy
Re: [Add] [Ext] My single use case Eric Rescorla
Re: [Add] [EXTERNAL] My single use case Daniel Migault
Re: [Add] My single use case Daniel Migault
Re: [Add] [EXTERNAL] My single use case Vittorio Bertola
Re: [Add] [EXTERNAL] My single use case Andrew Campling
Re: [Add] My single use case Steffen Nurpmeso
Re: [Add] [EXTERNAL] My single use case Daniel Migault
Re: [Add] [Ext] My single use case tirumal reddy
Re: [Add] [EXTERNAL] My single use case Tommy Jensen