IETF Logo Mail Archive

Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt

"Martin Thomson" <mt@lowentropy.net> Wed, 08 May 2019 00:34 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0553120073 for <dns-privacy@ietfa.amsl.com>; Tue, 7 May 2019 17:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=BKDtZaT5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=zyhwxvsx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCbJ5gUIrFmC for <dns-privacy@ietfa.amsl.com>; Tue, 7 May 2019 17:34:48 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43B3412006E for <dns-privacy@ietf.org>; Tue, 7 May 2019 17:34:48 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 3723B238DE; Tue, 7 May 2019 20:34:47 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Tue, 07 May 2019 20:34:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=YFPC6UGksaoqclD0XxIIk8xW/lqp O1wbFvlFsQz4qTo=; b=BKDtZaT5a3VIuzVLHwVRG685QPtciaKh4WpUft6iDR3s ob382d5yOW0okXR+5fJzIBbhiQg4Pe6opfz1mQo8lO+VR/+QEiOFxW2tOuj9iOIu kqsjdKK5cSSWmPtjS8wWiUfRznPVVNwht9vWhbmiojvpX3txlNJ0EW9EcvTwYbxB 9OeNNqlsBxUCKuZ57fPU/LrME+pqWLarfBVjTQUGKAmh+vXVS/SpOzW/5OCFb59d 09LRb1hLW0j50CC4hRPRDdRethpvXI87u56cLT9JbUHKtgA0BP1dEe54IolvRODA I1fxPCx8YgxCNN060S8fvVOETrx1pBXxS9rChdjhRw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=YFPC6U GksaoqclD0XxIIk8xW/lqpO1wbFvlFsQz4qTo=; b=zyhwxvsxg8wEs5vMZnL7JE eGftePZDFpghme++GM8M1MGrtp+voi81GTrzK52lprtB8wdKh6AxDtd+83tBTvaB 6MT3pTOL3JkSx8fQeIkuP1r91hSAGqSKdUfqJYryPSCL1W9Fxa9CB40OjCTX5zWf 5AMiPiSiQ2Is7oJ81tVd20pm5QAcBCXX7Bs43thJqyiCYZr/gsMP8mLzDN5EITHW zT3zkahVuoeM2VQy5IcolHc1m/Vp/pFq2FqB/zdTc0ZPNa7J641ziLqSBKNVbZR9 lDteUFwlS9AXsBuV1QCIwJ8LJfk2MZAz4Dxer/e0Y4JYXmLpCIboktHnpX0leJvw ==
X-ME-Sender: <xms:JiTSXIcBFsXUEHjIkFSqvby21E_YKWdOj_tlMnGOn1hMd-mGjXEJsg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrkedugdefhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofi gvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:JiTSXNvV85D_EX8NWw0kCwMJxOZ3eZogldCCCPuKG9zTQpRNve1j-A> <xmx:JiTSXCB36p94GBjQvQgUQyd2x6VgJk6abu8mtQPqH1UbO7nH8lpapA> <xmx:JiTSXAwVVh1AK-VUF23qVkYnLkWi1LWLk4YbgrkUZWmN-ou67dZddA> <xmx:JyTSXBFlspk3GoRJLvPyUQAsynmRkiqaau-DWVjxL0TT-mURhWBf8Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 829AC7C3DB; Tue, 7 May 2019 20:34:46 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1
Mime-Version: 1.0
Message-Id: <56e4efa3-0745-42c0-bd47-421d89fd7c0b@www.fastmail.com>
In-Reply-To: <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com>
References: <155637241515.19889.8043108886886364414.idtracker@ietfa.amsl.com> <9a851741-c4e3-44fd-e659-91e7eec8a88a@gmail.com> <60e1d104-a484-e786-5f27-b37916db8ca6@riseup.net> <fa17715a-74a8-77f3-5310-3da10c40224c@gmail.com> <794f6a22-27f0-4652-ac88-a1dc5584e4c3@www.fastmail.com> <977f05e9-36a8-2f1b-14ed-ba4e5e4bcb69@gmail.com> <6aba3a8e-f9c8-4476-9746-3fee0e287df1@www.fastmail.com> <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com>
Date: Tue, 07 May 2019 20:34:49 -0400
From: Martin Thomson <mt@lowentropy.net>
To: Thomas Peterson <nosretep.samoht@gmail.com>
Cc: dns-privacy@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/gDElsC5ih2S2jwRSSJc7uT_1zwQ>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 00:34:50 -0000

On Wed, May 8, 2019, at 07:07, Thomas Peterson wrote:
> If a mechanism that facilitates certificate validation is important then 
> the only two options I believe we have are:

Yes, I believe that certificate validation is important, if not critical.  As I said earlier, the process by which a DoT (or DoH) server is contacted is materially different than the network configuration process.

> A: Providing a host name only within the option, and expect clients to 
> use Do53 to resolve it, performing host name validation against the 
> certificate CommonName or SubjectAltName.
> 
> B: Using IP address(es) only, with either Do53 option or this option 
> providing the IP addresses, in addition to a non-DNS related identifier 
> to facilitate certificate validation - perhaps the Serial Number, 
> Subject Key Identifier or some other field or a derived field of data. 
> Having an option with both a host name and IP addresses makes no real 
> sense to me.

I want to dig into this.  How do you think that hostname + IP is nonsensical?  I am given a name and some candidate IP addresses for that name.  The security all hangs off the name, but I need the IP addresses to make a connection. 

In a way it is not fundamentally different than your suggestion to include a serial number or SPKI.  The important difference is that TLS stacks know how to deal with names and we have (elaborate) systems for ensuring that a host that claims to control a name really does.  A name allows us to use all that infrastructure.

v2.23.0 | Report a Bug | By Email