Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
Eric Orth <ericorth@google.com> Tue, 28 April 2020 15:06 UTC
Return-Path: <ericorth@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D1F73A168F for <add@ietfa.amsl.com>; Tue, 28 Apr 2020 08:06:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlaOOe-BSgJF for <add@ietfa.amsl.com>; Tue, 28 Apr 2020 08:06:02 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDADC3A168B for <add@ietf.org>; Tue, 28 Apr 2020 08:06:01 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id j2so25053886wrs.9 for <add@ietf.org>; Tue, 28 Apr 2020 08:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h8VA6tH6apjFglyzL28IshL+HXKBpsvH8Jq0BRRMKrQ=; b=Tt2qh76LPw9nFhqAqpxNP+WxVdBzHkmvoZWT/DHgKf+fxnd24gyKwV6OVQkoOgPqPA ihziR9EELTXjEE5n4zGd1H8gQb6uHRl2/hjXmdb9HgYc4hmVZCBXNIAciBYmWkzcQUmd weysHPIEYvmH6hhWjHDRkLs0rGgViCGt6FSvg3YIFeo5hbHyLveunyI9vNoTubAcznDs /4Av0IMmy2r+Ct4TnAM3dFdCvfwdgz+edKmovzFkT+lKyQhgW/yk5axxjammXbrhCPxo ASI4/9GFCg4p2/N8ZV+U3bhC1vEuwZ5nMkqgqRw2Uj6plUMW3MIcl+taBUwz+f0ISZnm QevQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h8VA6tH6apjFglyzL28IshL+HXKBpsvH8Jq0BRRMKrQ=; b=PdQ4kFj97RvUSQhHOf0wiP1s75LFp7LsMdcDteCF2fhrTTQrJoU1OLn8Rpeg+NcVki QwEYmQqJY+BdissP0nmH2Vg/pJTFvCLJ6eGTutKBANjcuTDcRY/hyViNOFE+Kuhj376t W8pKHb3Ul455FqR54EJct+ay++0bA2DTX5n7Y8Rg4ubL/+xbMuEyRsyF8KNW5xtxBI1K jqYPpF5zH3RYUcDd6YMdUlmdmwBEfu0l2r+/NWuq0jyVhmWs6nbL6FKfssyj99LUFz4c jgiWCeROBStftzrMMyaxnsojDOXrWDxUJu7uN7UYraGlltkkd0DsmxYlnNn+s+6KIgpX Dzgg==
X-Gm-Message-State: AGi0PubV4tA0HDe4qeiWd3j6xbZq6J/daZL01GVSaUCjOPz4ZHcwerpd zjv2WjJliyr6YpOgP8CNDF1JK5sGfE1HktyyGKUn3gdk
X-Google-Smtp-Source: APiQypIUZvsJ33HKApSwP0psy00UxBlLClWUl+wgedg2w6Uhw07wzXdgAjwW4aeU9yzxNgVKgnKc/xZYuXeKXgr4THM=
X-Received: by 2002:adf:f450:: with SMTP id f16mr33565517wrp.346.1588086359838; Tue, 28 Apr 2020 08:05:59 -0700 (PDT)
MIME-Version: 1.0
References: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org> <CAFpG3gebD-O0zzb7q-37gT-FWi9qC0owhxPkf1yARHq3CvjczQ@mail.gmail.com> <CAMOjQcHtqBTPfCC=VbspbCbeuB9kfSEMR6CJh0ZEBOoS1sOJWQ@mail.gmail.com>
In-Reply-To: <CAMOjQcHtqBTPfCC=VbspbCbeuB9kfSEMR6CJh0ZEBOoS1sOJWQ@mail.gmail.com>
From: Eric Orth <ericorth@google.com>
Date: Tue, 28 Apr 2020 11:05:48 -0400
Message-ID: <CAMOjQcHumQ1-CJww-5=mf2AtxcyN75b0cujjo7xitF24oGPTQA@mail.gmail.com>
To: ADD Mailing list <add@ietf.org>
Cc: Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/alternative; boundary="0000000000005a4ec805a45b2b4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rwNybl2Q_cS_9HmPj5p5so7AKzA>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 15:06:05 -0000
And another point regarding DNS vs HTTP mechanisms: Is there any concerns regarding clients with DoH/DoT stubs but that rely on getaddrinfo() from the system for Classic DNS? Would HTTP be more palatable for those clients? Then again, if a client has a full DoH/DoT implementation, maybe easier for them to add a Classic DNS implementation than it would be for many recursives to add an HTTPS server. On Tue, Apr 28, 2020 at 10:59 AM Eric Orth <ericorth@google.com> wrote: > I generally support both documents and would support ADD adoption. > > Re draft-pp-add-stub-upgrade: I do worry that it goes a little bit too far > into "policy" in laying out a specific algorithm, even if it's full of > options to allow clients to choose their own behavior. Might be better if > framed more explicitly as a "descriptive example" rather than the > prescriptive way to implement it. But I find the draft overall helpful > just for clearly laying out both the opportunistic DoT and the DoH resinfo > tag. > > Re draft-pp-add-resinfo: Definitely think this is the best overall draft > we have for the common problem of retrieving resolver information. I'm > personally conflicted on the HTTP-based mechanism. Others have made some > solid arguments against it already in this thread, but I would be sad to > lose our best option for a secure mechanism. It's correct that the DNS IP > address typically comes from insecure DHCP, but in many cases that is only > exposed on the limited local network or maybe the IP was set on the machine > rather than using DHCP, so the resinfo messages could sometimes (often?) > have a much bigger exposure. Then again, since the internet seems not > quite ready for CAs to widely give certs for IP addresses, maybe it would > be best to remove it from this draft and create a new draft in the future > once the mechanism becomes more viable. > > On Tue, Apr 28, 2020 at 10:19 AM tirumal reddy <kondtir@gmail.com> wrote: > >> Are you planning to replace >> https://tools.ietf.org/html/draft-ietf-dnsop-resolver-information-01 >> with draft-pp-add-resinfo ? >> >> -Tiru >> >> On Fri, 24 Apr 2020 at 22:16, Paul Hoffman <paul..hoffman@icann.org >> <paul.hoffman@icann.org>> wrote: >> >>> Greetings again. We have just published two drafts, >>> draft-pp-add-stub-upgrade and draft-pp-add-resinfo, to address the easier >>> problem that this WG wanted to tackle, namely how a stub can upgrade from >>> plain DNS to encrypted DNS for the resolver it is currently using. The >>> method in draft-pp-add-stub-upgrade is quite simple, but it includes all of >>> the variables that we have heard in the discussion over the last year. The >>> format in draft-pp-add-resinfo is the minimum needed for stub upgrade, but >>> will also possibly be useful for the more difficult discovery protocols >>> being discussed in the WG. >>> >>> Please let us know if you find these documents useful for the discussion >>> of direct upgrade instead of discovery. Also, please let us know if we have >>> missed any salient points. If so, we could ask the chairs to make these >>> into WG documents. >>> >>> --Paul Hoffman and Puneet Sood >>> >>> https://datatracker.ietf.org/doc/draft-pp-add-stub-upgrade/ >>> >>> Name: draft-pp-add-stub-upgrade >>> Revision: 00 >>> Title: Upgrading Communication from Stub Resolvers to DoT or DoH >>> Document date: 2020-04-24 >>> Group: Individual Submission >>> Pages: 7 >>> >>> Abstract: >>> This document describes methods for a DNS stub resolver to upgrade >>> its communications with a known recursive resolver to include >>> encrytion using DoT or DoH. This protocol is designed for the >>> scenario where the stub resolver already has the IP address of the >>> recursive resolver. >>> >>> Other protocols under develpment address scenarios where the stub >>> resolver wants to discover recursive resolvers that use DoT or DoH. >>> This document does not cover such discovery. >>> >>> >>> https://datatracker.ietf.org/doc/draft-pp-add-resinfo/ >>> >>> Name: draft-pp-add-resinfo >>> Revision: 00 >>> Title: DNS Resolver Information Self-publication >>> Document date: 2020-04-24 >>> Group: Individual Submission >>> Pages: 9 >>> >>> Abstract: >>> This document describes methods for DNS resolvers to self-publish >>> information about themselves. The information is returned as a JSON >>> object. The names in this object are defined in an IANA registry >>> that allows for light-weight registration. Applications and >>> operating systems can use the methods defined here to get the >>> information from resolvers in order to make choices about how to send >>> future queries to those resolvers. >>> >>> -- >>> Add mailing list >>> Add@ietf.org >>> https://www.ietf.org/mailman/listinfo/add >>> >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >
- [Add] Drafts on upgrading stub-to-resolver commun… Paul Hoffman
- Re: [Add] Drafts on upgrading stub-to-resolver co… Ben Schwartz
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Paul Hoffman
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] Drafts on upgrading stub-to-resolver co… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Ben Schwartz
- Re: [Add] Drafts on upgrading stub-to-resolver co… Vittorio Bertola
- Re: [Add] Drafts on upgrading stub-to-resolver co… tirumal reddy
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth