Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
"Martin Thomson" <mt@lowentropy.net> Mon, 16 December 2019 00:36 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 041AD120059 for <dns-privacy@ietfa.amsl.com>; Sun, 15 Dec 2019 16:36:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=AFgnlGvE; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=mtO2khvY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0K46QMN-hEs for <dns-privacy@ietfa.amsl.com>; Sun, 15 Dec 2019 16:36:05 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C8912004A for <dns-privacy@ietf.org>; Sun, 15 Dec 2019 16:36:05 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A2B8C22413 for <dns-privacy@ietf.org>; Sun, 15 Dec 2019 19:36:03 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Sun, 15 Dec 2019 19:36:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=W6L81CwfS5ChkTT3yyIHuuTk03Gvzf/ s+WSowSp3gx0=; b=AFgnlGvEK9VxhnPY8AHsag2eKknOGMbePfuNRz8fIH4HjSB 91Z2dhvJCMkiNN79Kl/ntaZOayvsPR97Jscl13pPB3tZUiQfJdNgUVg3+0I10Yu6 keep0HMrCx9s8DYI8UM/Jd8AmpU6Z229wpn7Fdi2N1lIpYURLUI8jABlKIBOAJue pG01WVmHrsJxWRXOVR/w2IAaYcfzsiPOwTv//J7d47fckPyyREJPbpL3rAijQboN 6qgzzGxr03ZpcTbDbAvJISlhw5ScWWf9RjHgKdFw8TPCJD2ctejERP+l5c3JhS7Y 6/UyuOMt/QBeozs5zIBgfmvToPs69UvtnUGxQlQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=W6L81C wfS5ChkTT3yyIHuuTk03Gvzf/s+WSowSp3gx0=; b=mtO2khvYvAm432RJgn77oY 3UOQ7b0XivAfewBvmRm3Ln7vuN/B83vTwOoHm+Cm4iBKQBSbDdMm7jN8BnbYbvl8 QRW2gxkCyZIikx4aInMFnTkavX4vkwY4orvIQpn+JtZrD2TAdf/5DXeZrqWIMhUK 0TYxU+LQ7L2QVHvXZu7xJgNN1Nm92U/uYyVL/uOJY5fQNPPA5SabkZBWL6k8g6Cf rFHiF5diTq/oqFz0KiIIVenPgyEW8n9Ljgs0v9IEcWju2lpEqJWPmsBBX3Ve0PJR d7GwKxQY2BW93CWZUE8+hKhnRvrmLiBUjr6eHtKoCEZajFkqNGfwQ9UeVBaopK5w ==
X-ME-Sender: <xms:c9H2Xf9Alv0HeP-6Yb0Bf_Sd2vWvl7LJlO0UWSdqyIIlp3igF5akOw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddtgedgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecuff homhgrihhnpehgihhthhhusgdrihhonecurfgrrhgrmhepmhgrihhlfhhrohhmpehmthes lhhofigvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:c9H2XSLJ2hMBaPTX5T_gjfGUHVz25jhZS1kutDvP5WT6dlTXOp-8bw> <xmx:c9H2XV1mY7omwxR8sc2Q_-ooscAJ0j5hYk8VoNUpmp80Dd5WNeXAmg> <xmx:c9H2XasXth4HCofOA_JaiNyMEukJbsimKHcbqswaVI2FOCJdnRrsGQ> <xmx:c9H2XWpBrNhDokjNtdnZocJn2uZokQGVzcJnKZttt_FzO1EtfnLxHw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 44644E00A2; Sun, 15 Dec 2019 19:36:03 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-680-g58d4e90-fmstable-20191213v1
Mime-Version: 1.0
Message-Id: <1e2a07b6-89cc-40aa-a617-db39765779a6@www.fastmail.com>
In-Reply-To: <CA+9kkMA1LC2tMKjqF5Lvthhs+3iNS=hUZLoJXqZG9F8COutDUA@mail.gmail.com>
References: <CA+9kkMAmsK746ViRb9tXkJX+t_paOGpWCN3i78WK_t86bLGUnQ@mail.gmail.com> <CAKC-DJhiZAv8gESrhvUc5v86TcRXrfASq4ujQ3BxOYnuENrBjg@mail.gmail.com> <CA+9kkMA1LC2tMKjqF5Lvthhs+3iNS=hUZLoJXqZG9F8COutDUA@mail.gmail.com>
Date: Mon, 16 Dec 2019 11:35:27 +1100
From: Martin Thomson <mt@lowentropy.net>
To: dns-privacy@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Gm0272tz0_ub6zjIwkIhknfNpSQ>
Subject: Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 00:36:10 -0000
Ted, On Sat, Dec 14, 2019, at 01:43, Ted Hardie wrote: > On Fri, Dec 13, 2019 at 2:12 PM Erik Nygren <erik+ietf@nygren.org> > > Linking ALPN and port defeats the purpose of ALPN. > > Unfortunately, ALPN's native "discovery" mechanism is more-or-less > connect and see what the list is. That's pretty much what the original > respondents are trying to avoid. I think that you are conflating the protocol negotiation with discovery. ALPN is a negotiation method, and what we are looking for here is discovery. ALPN allows client and server to negotiate DoT and then be confident that the resulting connection truly is DoT. ALPN might be useful in identifying a protocol, but we shouldn't be loading ALPN with other semantics as you propose. The first question we are trying to answer with discovery is "does the network provide a DoT resolver?" (The next question being "Where is it?"; a question that is at least partially answered by existing methods.) You answer that by say "I have DoT" or "I have DoT *at this location*". ALPN only factors into that process to the extent that you need to have some way to distinguish different protocols. Erik points out that using ALPN as a component of the key tuple is potentially a valuable way of using it. I agree. There's a related question here about how the server is then authenticated. RFC 8310 is far too permissive in its definition of options to be of much use here. For me, that's a far more interesting question than the one you pose. > So, let's back up a step: are people interested in using DHCP and RA as > part of the discovery story here or not? I am. I tend to think that https://thpts.github.io/draft-peterson-dot-dhcp/draft-peterson-dot-dhcp.html is a reasonable start here. Sure, it makes some assumptions, and leaves some of the harder 8310-style questions unanswered, but that's where I think we should be paying more attention anyway.
- [dns-privacy] Discovery of DNS over (not 53) and … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Erik Nygren
- Re: [dns-privacy] Discovery of DNS over (not 53) … Paul Wouters
- Re: [dns-privacy] Discovery of DNS over (not 53) … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vittorio Bertola
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vladimír Čunát
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Dan Wing