IETF Logo Mail Archive

Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted

Mike Bishop <mbishop@evequefou.be> Fri, 24 April 2020 19:08 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9788A3A07F7 for <add@ietfa.amsl.com>; Fri, 24 Apr 2020 12:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEcSrl-2mIOt for <add@ietfa.amsl.com>; Fri, 24 Apr 2020 12:08:31 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680105.outbound.protection.outlook.com [40.107.68.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B8823A07E3 for <add@ietf.org>; Fri, 24 Apr 2020 12:08:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dLUvMmcQR6nM+Ln7/KsrCdDPjQFnmThh8A1F5tlR6MGf8DoniJcqTZOrMxuD+Ac/E9wfnv4ES0TNZXCZJKX9b4EYUtrETthOHXwg8Wo4b+xLS09wD2K0Jcgeli/LpT2Xeng4h0NtT1NjkEEgnNM6y7j2IbYbmMiJKPV0X/J6HCXMlvfW3ZTqwWpVZfTHyhRGXK1jYahUgC3Kq040TwkUz9XdHYXl3pNavlAHnM7aYuJwuFl91FJOqsSsCSNRF+NWUaVot/q4nAQ9sZ3gYbGYcQCfR07rmj4YnLPNeBsOdim42kla+arU3QQmzyFt0qUlu1ZWs8DL+gP4R9ig/z0ytQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/5UUmcR0ul3n8I93fL37wytzwM1F1FhXpJGGPmYiF0=; b=oC3KYARIa/PJmzt00MKl2DdXD94/vFqG45s4ff3Dz7UB1RBmyECX5Unrf4Q9zCbQ/ChPvw5isDzMvGYvb1NVORvoj7EFkuPpf/WXMVKztGnb3ckXR7Zn4G7Md13KVXXEIP5yq0g4IK4EC5bFc3hW101EH+RkTBD9cMHH6/7Fbts5FCDMw9iYzJZO39fAEHsCOKTY8lRh57ERXGb0v2iTkQXTbjsEMPXwxxU6eFGLu7egCTdiZ5jdWAbj520vCWQZ1C+33i/s4CfsI0yt4fxatFFSa7ROTnVmEpsql/E9OrOthrmG3QUsW7FFUqUsgq4gKjc3UzleWFhvgaE5An/0ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/5UUmcR0ul3n8I93fL37wytzwM1F1FhXpJGGPmYiF0=; b=DvZ6aviplVoBFPGuTDaUGxArFH+vgT1Lro/wOVJvE4XAOcJ37SytRnMWKJYg7CAeoehVAEbq+vuMhy+sJiFv1qmh5tKqs9/5mdDdnHF5ekpYQvukIhCafet1wxKfwO2e+P3xpRP/h6SHSGDYF8Qvhv5siSwlRtPl+xaqwR197dU=
Received: from CH2PR22MB2086.namprd22.prod.outlook.com (2603:10b6:610:8c::8) by CH2PR22MB1813.namprd22.prod.outlook.com (2603:10b6:610:87::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Fri, 24 Apr 2020 19:08:28 +0000
Received: from CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d]) by CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d%3]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 19:08:28 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
Thread-Index: AQHWGlfDK8eYheQJ4EC4wbCFDoXkXqiIki2AgAAJh5A=
Date: Fri, 24 Apr 2020 19:08:27 +0000
Message-ID: <CH2PR22MB2086EA09411710ABB3FAE13ADAD00@CH2PR22MB2086.namprd22.prod.outlook.com>
References: <E1091705-3E44-4284-AFE3-824052FBF5C2@icann.org> <CAHbrMsCdch3XN9r0t1kNGPtQv3ctXBH49QOJOsktHth-2WNEfQ@mail.gmail.com>
In-Reply-To: <CAHbrMsCdch3XN9r0t1kNGPtQv3ctXBH49QOJOsktHth-2WNEfQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2600:2b00:930c:7701:19c4:8529:2c6c:fb0a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dad7489e-bc7d-47e0-ce80-08d7e882defa
x-ms-traffictypediagnostic: CH2PR22MB1813:
x-microsoft-antispam-prvs: <CH2PR22MB18130AB6EC3E1EEED12C52D9DAD00@CH2PR22MB1813.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03838E948C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR22MB2086.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(39830400003)(396003)(366004)(136003)(346002)(376002)(66946007)(316002)(9686003)(52536014)(66446008)(55016002)(66556008)(6506007)(53546011)(64756008)(81156014)(8676002)(8936002)(71200400001)(966005)(7696005)(5660300002)(110136005)(86362001)(76116006)(33656002)(66476007)(2906002)(186003)(508600001)(4326008); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SppIEgRo9AKyug3P+tq+GSI66jvzi5OiDMU26+AwmloWg+LE4+MyIFdv4nfEkP4uI/zsnWdxm+FA43ODjtE2XMyZz6Z+Nigd8kKIoeWQalT8IwAbk1TH791h3acpLsyFACgplR0s796kJ0LoiLCa1fN2p9j0EaACCM9x7VD5sVCsMzkPOWaqRvrh76Yj/7GF4UzjOVAAdcEt4E0xLybsVu8UBZyJFPl9WZofURJxpgh0j6NkYrAUHSvH8R9aKdOGEGfPEzxhvY15NYRw0ZGYt/zsxJgP8mPiYJ0O3tlGvhWPwqeH8ZetKFTIm8eBW6VRQW0CmTYIGwXAhTBEX9CuH+8a97t94WCzDeix0XU08OV1JPr5HpTSuecOj93gbApvP1rgbl5r9BAnG0ijT6sZLhOF7PzMp1C2+t57F5Y9Lakk7lKqVjmAPv//s5cb/nDUInQp50sfBRgFWeH8YzKhruSZw95R2SkfruClWOQwxTgJwD9lM7exOo52mv7SjylWcSQSApksM0GyEELqimEdzQ==
x-ms-exchange-antispam-messagedata: pGxVaURQsAQSErh1UAFKb+44iPJv2eNPYI9Kh0+CKIRjyCFYbOLmGBj1XgwL5TwwTk2CcMI1cY2l6O8TqBfciNumjQ+zSYbHU/oXoIjIcQmpNGKS0Kb6aDy4cNN17fEMDgp6dM7lZ7Q0UWee9MxccQbaAkmS01jgqtPZvpJ2dWXVzk3GINagWOmX2XirKTBaUilttOugFu6x3V1yrlmS6mFn9wsRaXA/rqatOybNR7UkyOsq+jN9UMmHD3c9Wrn1+KB1oteLyydYEHYLgsE33QDsUbK+1o9WsUyIUijfagQJr0JCyv1Z+5iMH3V35P9yev/yZgdITIt3wDxyhgIa/k2wVxI4qplwppoUN9ReGVB6+n1PXsNxbZwlD0D1i8GbjKSiOb4pbpj5Szd7RN77iZQ4Clt0M+D6+burLhedY+gUpENyFL5KjBTwNh60btBmO5wgbs6LKKXcr2HNX4nValmcZ38ME/ExLdTK43VF3ED6AzvvMG48kuGbQ7u7nhtRDt1e7/imzCArQK5zFHrYr2sFKgT6dwiYwdvP2970HbtRQzgvyg3PxFYIte65wLFejAOty7wsGZdgq8Gmhk7QcvyZucnQ32JSeROWAi9ZjPfGUTV5uC2wCyIGzAlSkHReFVuTE5fNp7yF25E6dt//i/haqW+M8aYwdbQIXKQ82Opq7gjZmXB2cjIS1+GYVSWGRwTzcKXI/nZdkRrzzPy4zDZioLnbKAZeHNPXlsiJGNgfomD45lVcaeewFby6cgFWzHONyGmG8z2V/ibHgXfdEm1npqyDhf4YG7MJYPTwTp3EK0wu0O6PMhKJKUZlm74mz70BHC6kfmOkuMV/k/FNy3eR7OWRiYTCNeA7mONN+2H8lW9marlbcEI6zzYihVaR
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR22MB2086EA09411710ABB3FAE13ADAD00CH2PR22MB2086namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: dad7489e-bc7d-47e0-ce80-08d7e882defa
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2020 19:08:27.9032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +plmB/pViLhO/0rLPX0Ryg8PGltXWUQyCaFAN65XCY7D93WgzL7ThBcL1hcobIAlKCNs+h/FDcsJFo1V0SDpvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR22MB1813
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/D6pQOoXtQV_gfiSdTqyyDo2G40c>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 19:08:35 -0000

I also think RESINFO looks promising.  Publishing DoT and/or DoH endpoints on that resolver seems the obvious next step, and I was surprised that the document didn’t define elements to declare those capabilities.  The DNS record piece seems useful for recursive-to-authoritative as well.  If we permit RESINFO records for other names, an authoritative delegation could pass along the RESINFO of the name server it’s delegating to.

The attractions of the HTTPS option are multiple, particularly for stub-to-resolver.  One is a way to validate the connection to the resolver that you think you’re talking to, of course.  Removing the HTTPS option means you’re just trying the endpoints and seeing if they work, which is sub-optimal.  Further, if (as seems likely) the DoH endpoint is at the same host and port, you’ve already established an HTTPS session which could be used to perform DoH, as described in stub-upgrade.  It also enables you to probe a DoH URI you’ve received elsewhere to ensure that the server actually intends to offer DoH at that URI; while you’d expect a DoH request to fail if not, establishing consent is generally a good idea.  I’d be inclined to keep it, all told.

From: Add <add-bounces@ietf.org> On Behalf Of Ben Schwartz
Sent: Friday, April 24, 2020 2:09 PM
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: ADD Mailing list <add@ietf.org>
Subject: Re: [Add] Drafts on upgrading stub-to-resolver communication to encrypted

Thanks for the updated drafts.  I think RESINFO is the most promising path for resolver upgrade, and I'd like to see it implemented.

The one major change I suggest is to remove the entire HTTPS mechanism from the RESINFO draft.  This mechanism creates a great deal of complexity, doesn't follow good practices for HTTPS, and doesn't obviously enable any additional use cases.  Having multiple competing mechanisms also makes interoperability less likely.

If "in-band" RESINFO proves insufficient, an HTTPS-based mechanism could always be added in a later draft.

On Fri, Apr 24, 2020 at 12:46 PM Paul Hoffman <paul.hoffman@icann.org<mailto:paul.hoffman@icann.org>> wrote:
Greetings again. We have just published two drafts, draft-pp-add-stub-upgrade and draft-pp-add-resinfo, to address the easier problem that this WG wanted to tackle, namely how a stub can upgrade from plain DNS to encrypted DNS for the resolver it is currently using. The method in draft-pp-add-stub-upgrade is quite simple, but it includes all of the variables that we have heard in the discussion over the last year.. The format in draft-pp-add-resinfo is the minimum needed for stub upgrade, but will also possibly be useful for the more difficult discovery protocols being discussed in the WG.

Please let us know if you find these documents useful for the discussion of direct upgrade instead of discovery. Also, please let us know if we have missed any salient points. If so, we could ask the chairs to make these into WG documents.

--Paul Hoffman and Puneet Sood

https://datatracker.ietf.org/doc/draft-pp-add-stub-upgrade/

Name:           draft-pp-add-stub-upgrade
Revision:       00
Title:          Upgrading Communication from Stub Resolvers to DoT or DoH
Document date:  2020-04-24
Group:          Individual Submission
Pages:          7

Abstract:
  This document describes methods for a DNS stub resolver to upgrade
  its communications with a known recursive resolver to include
  encrytion using DoT or DoH.  This protocol is designed for the
  scenario where the stub resolver already has the IP address of the
  recursive resolver.

  Other protocols under develpment address scenarios where the stub
  resolver wants to discover recursive resolvers that use DoT or DoH.
  This document does not cover such discovery.


https://datatracker.ietf.org/doc/draft-pp-add-resinfo/

Name:           draft-pp-add-resinfo
Revision:       00
Title:          DNS Resolver Information Self-publication
Document date:  2020-04-24
Group:          Individual Submission
Pages:          9

Abstract:
  This document describes methods for DNS resolvers to self-publish
  information about themselves.  The information is returned as a JSON
  object.  The names in this object are defined in an IANA registry
  that allows for light-weight registration.  Applications and
  operating systems can use the methods defined here to get the
  information from resolvers in order to make choices about how to send
  future queries to those resolvers.

--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email