Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
Mike Bishop <mbishop@evequefou.be> Fri, 24 April 2020 19:08 UTC
Return-Path: <mbishop@evequefou.be>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9788A3A07F7 for <add@ietfa.amsl.com>; Fri, 24 Apr 2020 12:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEcSrl-2mIOt for <add@ietfa.amsl.com>; Fri, 24 Apr 2020 12:08:31 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680105.outbound.protection.outlook.com [40.107.68.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B8823A07E3 for <add@ietf.org>; Fri, 24 Apr 2020 12:08:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dLUvMmcQR6nM+Ln7/KsrCdDPjQFnmThh8A1F5tlR6MGf8DoniJcqTZOrMxuD+Ac/E9wfnv4ES0TNZXCZJKX9b4EYUtrETthOHXwg8Wo4b+xLS09wD2K0Jcgeli/LpT2Xeng4h0NtT1NjkEEgnNM6y7j2IbYbmMiJKPV0X/J6HCXMlvfW3ZTqwWpVZfTHyhRGXK1jYahUgC3Kq040TwkUz9XdHYXl3pNavlAHnM7aYuJwuFl91FJOqsSsCSNRF+NWUaVot/q4nAQ9sZ3gYbGYcQCfR07rmj4YnLPNeBsOdim42kla+arU3QQmzyFt0qUlu1ZWs8DL+gP4R9ig/z0ytQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/5UUmcR0ul3n8I93fL37wytzwM1F1FhXpJGGPmYiF0=; b=oC3KYARIa/PJmzt00MKl2DdXD94/vFqG45s4ff3Dz7UB1RBmyECX5Unrf4Q9zCbQ/ChPvw5isDzMvGYvb1NVORvoj7EFkuPpf/WXMVKztGnb3ckXR7Zn4G7Md13KVXXEIP5yq0g4IK4EC5bFc3hW101EH+RkTBD9cMHH6/7Fbts5FCDMw9iYzJZO39fAEHsCOKTY8lRh57ERXGb0v2iTkQXTbjsEMPXwxxU6eFGLu7egCTdiZ5jdWAbj520vCWQZ1C+33i/s4CfsI0yt4fxatFFSa7ROTnVmEpsql/E9OrOthrmG3QUsW7FFUqUsgq4gKjc3UzleWFhvgaE5An/0ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/5UUmcR0ul3n8I93fL37wytzwM1F1FhXpJGGPmYiF0=; b=DvZ6aviplVoBFPGuTDaUGxArFH+vgT1Lro/wOVJvE4XAOcJ37SytRnMWKJYg7CAeoehVAEbq+vuMhy+sJiFv1qmh5tKqs9/5mdDdnHF5ekpYQvukIhCafet1wxKfwO2e+P3xpRP/h6SHSGDYF8Qvhv5siSwlRtPl+xaqwR197dU=
Received: from CH2PR22MB2086.namprd22.prod.outlook.com (2603:10b6:610:8c::8) by CH2PR22MB1813.namprd22.prod.outlook.com (2603:10b6:610:87::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Fri, 24 Apr 2020 19:08:28 +0000
Received: from CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d]) by CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d%3]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 19:08:28 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
Thread-Index: AQHWGlfDK8eYheQJ4EC4wbCFDoXkXqiIki2AgAAJh5A=
Date: Fri, 24 Apr 2020 19:08:27 +0000
Message-ID: <CH2PR22MB2086EA09411710ABB3FAE13ADAD00@CH2PR22MB2086.namprd22.prod.outlook.com>
References: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org> <CAHbrMsCdch3XN9r0t1kNGPtQv3ctXBH49QOJOsktHth-2WNEfQ@mail.gmail.com>
In-Reply-To: <CAHbrMsCdch3XN9r0t1kNGPtQv3ctXBH49QOJOsktHth-2WNEfQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2600:2b00:930c:7701:19c4:8529:2c6c:fb0a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dad7489e-bc7d-47e0-ce80-08d7e882defa
x-ms-traffictypediagnostic: CH2PR22MB1813:
x-microsoft-antispam-prvs: <CH2PR22MB18130AB6EC3E1EEED12C52D9DAD00@CH2PR22MB1813.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03838E948C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR22MB2086.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(39830400003)(396003)(366004)(136003)(346002)(376002)(66946007)(316002)(9686003)(52536014)(66446008)(55016002)(66556008)(6506007)(53546011)(64756008)(81156014)(8676002)(8936002)(71200400001)(966005)(7696005)(5660300002)(110136005)(86362001)(76116006)(33656002)(66476007)(2906002)(186003)(508600001)(4326008); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SppIEgRo9AKyug3P+tq+GSI66jvzi5OiDMU26+AwmloWg+LE4+MyIFdv4nfEkP4uI/zsnWdxm+FA43ODjtE2XMyZz6Z+Nigd8kKIoeWQalT8IwAbk1TH791h3acpLsyFACgplR0s796kJ0LoiLCa1fN2p9j0EaACCM9x7VD5sVCsMzkPOWaqRvrh76Yj/7GF4UzjOVAAdcEt4E0xLybsVu8UBZyJFPl9WZofURJxpgh0j6NkYrAUHSvH8R9aKdOGEGfPEzxhvY15NYRw0ZGYt/zsxJgP8mPiYJ0O3tlGvhWPwqeH8ZetKFTIm8eBW6VRQW0CmTYIGwXAhTBEX9CuH+8a97t94WCzDeix0XU08OV1JPr5HpTSuecOj93gbApvP1rgbl5r9BAnG0ijT6sZLhOF7PzMp1C2+t57F5Y9Lakk7lKqVjmAPv//s5cb/nDUInQp50sfBRgFWeH8YzKhruSZw95R2SkfruClWOQwxTgJwD9lM7exOo52mv7SjylWcSQSApksM0GyEELqimEdzQ==
x-ms-exchange-antispam-messagedata: pGxVaURQsAQSErh1UAFKb+44iPJv2eNPYI9Kh0+CKIRjyCFYbOLmGBj1XgwL5TwwTk2CcMI1cY2l6O8TqBfciNumjQ+zSYbHU/oXoIjIcQmpNGKS0Kb6aDy4cNN17fEMDgp6dM7lZ7Q0UWee9MxccQbaAkmS01jgqtPZvpJ2dWXVzk3GINagWOmX2XirKTBaUilttOugFu6x3V1yrlmS6mFn9wsRaXA/rqatOybNR7UkyOsq+jN9UMmHD3c9Wrn1+KB1oteLyydYEHYLgsE33QDsUbK+1o9WsUyIUijfagQJr0JCyv1Z+5iMH3V35P9yev/yZgdITIt3wDxyhgIa/k2wVxI4qplwppoUN9ReGVB6+n1PXsNxbZwlD0D1i8GbjKSiOb4pbpj5Szd7RN77iZQ4Clt0M+D6+burLhedY+gUpENyFL5KjBTwNh60btBmO5wgbs6LKKXcr2HNX4nValmcZ38ME/ExLdTK43VF3ED6AzvvMG48kuGbQ7u7nhtRDt1e7/imzCArQK5zFHrYr2sFKgT6dwiYwdvP2970HbtRQzgvyg3PxFYIte65wLFejAOty7wsGZdgq8Gmhk7QcvyZucnQ32JSeROWAi9ZjPfGUTV5uC2wCyIGzAlSkHReFVuTE5fNp7yF25E6dt//i/haqW+M8aYwdbQIXKQ82Opq7gjZmXB2cjIS1+GYVSWGRwTzcKXI/nZdkRrzzPy4zDZioLnbKAZeHNPXlsiJGNgfomD45lVcaeewFby6cgFWzHONyGmG8z2V/ibHgXfdEm1npqyDhf4YG7MJYPTwTp3EK0wu0O6PMhKJKUZlm74mz70BHC6kfmOkuMV/k/FNy3eR7OWRiYTCNeA7mONN+2H8lW9marlbcEI6zzYihVaR
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR22MB2086EA09411710ABB3FAE13ADAD00CH2PR22MB2086namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: dad7489e-bc7d-47e0-ce80-08d7e882defa
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2020 19:08:27.9032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +plmB/pViLhO/0rLPX0Ryg8PGltXWUQyCaFAN65XCY7D93WgzL7ThBcL1hcobIAlKCNs+h/FDcsJFo1V0SDpvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR22MB1813
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/D6pQOoXtQV_gfiSdTqyyDo2G40c>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 19:08:35 -0000
I also think RESINFO looks promising. Publishing DoT and/or DoH endpoints on that resolver seems the obvious next step, and I was surprised that the document didn’t define elements to declare those capabilities. The DNS record piece seems useful for recursive-to-authoritative as well. If we permit RESINFO records for other names, an authoritative delegation could pass along the RESINFO of the name server it’s delegating to. The attractions of the HTTPS option are multiple, particularly for stub-to-resolver. One is a way to validate the connection to the resolver that you think you’re talking to, of course. Removing the HTTPS option means you’re just trying the endpoints and seeing if they work, which is sub-optimal. Further, if (as seems likely) the DoH endpoint is at the same host and port, you’ve already established an HTTPS session which could be used to perform DoH, as described in stub-upgrade. It also enables you to probe a DoH URI you’ve received elsewhere to ensure that the server actually intends to offer DoH at that URI; while you’d expect a DoH request to fail if not, establishing consent is generally a good idea. I’d be inclined to keep it, all told. From: Add <add-bounces@ietf.org> On Behalf Of Ben Schwartz Sent: Friday, April 24, 2020 2:09 PM To: Paul Hoffman <paul.hoffman@icann.org> Cc: ADD Mailing list <add@ietf.org> Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted Thanks for the updated drafts. I think RESINFO is the most promising path for resolver upgrade, and I'd like to see it implemented. The one major change I suggest is to remove the entire HTTPS mechanism from the RESINFO draft. This mechanism creates a great deal of complexity, doesn't follow good practices for HTTPS, and doesn't obviously enable any additional use cases. Having multiple competing mechanisms also makes interoperability less likely. If "in-band" RESINFO proves insufficient, an HTTPS-based mechanism could always be added in a later draft. On Fri, Apr 24, 2020 at 12:46 PM Paul Hoffman <paul.hoffman@icann.org<mailto:paul.hoffman@icann.org>> wrote: Greetings again. We have just published two drafts, draft-pp-add-stub-upgrade and draft-pp-add-resinfo, to address the easier problem that this WG wanted to tackle, namely how a stub can upgrade from plain DNS to encrypted DNS for the resolver it is currently using. The method in draft-pp-add-stub-upgrade is quite simple, but it includes all of the variables that we have heard in the discussion over the last year.. The format in draft-pp-add-resinfo is the minimum needed for stub upgrade, but will also possibly be useful for the more difficult discovery protocols being discussed in the WG. Please let us know if you find these documents useful for the discussion of direct upgrade instead of discovery. Also, please let us know if we have missed any salient points. If so, we could ask the chairs to make these into WG documents. --Paul Hoffman and Puneet Sood https://datatracker.ietf.org/doc/draft-pp-add-stub-upgrade/ Name: draft-pp-add-stub-upgrade Revision: 00 Title: Upgrading Communication from Stub Resolvers to DoT or DoH Document date: 2020-04-24 Group: Individual Submission Pages: 7 Abstract: This document describes methods for a DNS stub resolver to upgrade its communications with a known recursive resolver to include encrytion using DoT or DoH. This protocol is designed for the scenario where the stub resolver already has the IP address of the recursive resolver. Other protocols under develpment address scenarios where the stub resolver wants to discover recursive resolvers that use DoT or DoH. This document does not cover such discovery. https://datatracker.ietf.org/doc/draft-pp-add-resinfo/ Name: draft-pp-add-resinfo Revision: 00 Title: DNS Resolver Information Self-publication Document date: 2020-04-24 Group: Individual Submission Pages: 9 Abstract: This document describes methods for DNS resolvers to self-publish information about themselves. The information is returned as a JSON object. The names in this object are defined in an IANA registry that allows for light-weight registration. Applications and operating systems can use the methods defined here to get the information from resolvers in order to make choices about how to send future queries to those resolvers. -- Add mailing list Add@ietf.org<mailto:Add@ietf.org> https://www.ietf.org/mailman/listinfo/add
- [Add] Drafts on upgrading stub-to-resolver commun… Paul Hoffman
- Re: [Add] Drafts on upgrading stub-to-resolver co… Ben Schwartz
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Paul Hoffman
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] Drafts on upgrading stub-to-resolver co… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Mike Bishop
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Eric Rescorla
- Re: [Add] [Ext] Drafts on upgrading stub-to-resol… Ben Schwartz
- Re: [Add] Drafts on upgrading stub-to-resolver co… Vittorio Bertola
- Re: [Add] Drafts on upgrading stub-to-resolver co… tirumal reddy
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth
- Re: [Add] Drafts on upgrading stub-to-resolver co… Eric Orth