Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
Erik Kline <ek@loon.com> Tue, 07 May 2019 22:23 UTC
Return-Path: <ek@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABA012029E for <dns-privacy@ietfa.amsl.com>; Tue, 7 May 2019 15:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.498
X-Spam-Level:
X-Spam-Status: No, score=-9.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9UHk-4lWnmB for <dns-privacy@ietfa.amsl.com>; Tue, 7 May 2019 15:23:36 -0700 (PDT)
Received: from mail-it1-x12d.google.com (mail-it1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F48C120279 for <dns-privacy@ietf.org>; Tue, 7 May 2019 15:23:36 -0700 (PDT)
Received: by mail-it1-x12d.google.com with SMTP id q132so800950itc.5 for <dns-privacy@ietf.org>; Tue, 07 May 2019 15:23:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=Jmzj6Wsqapx9B3DuzHuQOfcSwuYSHKdqIQ42CXs1PMI=; b=VpvntcsNFY+kKUrcOcEyexR0c50I5LM3khXHWUoMTznbTkgStm2HkTU3nR8zEO/iUp 8/93MDAA4PdKepevzpRFjSKZksb1xAJgSkCo77KV0PfC8qXAwiK7ZD0rtsLSq61wiD7u YS1TNdMQwvZsi5hdffoO4/KB7pZjo60msqJqM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=Jmzj6Wsqapx9B3DuzHuQOfcSwuYSHKdqIQ42CXs1PMI=; b=K7jEL6cOcgnaN1oiQ9mYVphdZkh+DSftAsAqnLy7uh4PFPxETeIDXsmUUIfQ0PFjC8 6scCTk7zhDfHhJJUR/nCWHGMx3gMDNe0Vt0t83iunhlvE4LbbuIZAvHLKH7b0Q+RXwX4 RLkByxDX2hyfxWyk3VDgwXucTpndOTDuxoHK3QJmRknf12wAYlYC/KnhZr9x1z5VesRu AQrkw4eeAkVvFLsPvk6bolQ5Al2Vs7gQot93Ae7rLBa4NpcSihN234HAu12TVfcdmMx8 MSRJeaApImJkfV1wYHbtB2Qrs0GH/gcsXB0fQXzyYMx1zKbh3dlx9tm1LmciewxG4+E4 zkzQ==
X-Gm-Message-State: APjAAAVkeEuduML1ZK6VCKuD31i481qBCJrVcPKo2/fowPH87Xn3v1s6 G2lpfyPPfvKtoLC5f7mkivjwAcE2auTBuYNMYv8w0w==
X-Google-Smtp-Source: APXvYqwx50l0uI9jhhehPp+d70wzc9EmCtH55wWPZVM7P4EPjdgclOTHjKgMftC+WdOZ6NuMguyAlXdEi2E/2Z5llpM=
X-Received: by 2002:a24:10c6:: with SMTP id 189mr688393ity.40.1557267815123; Tue, 07 May 2019 15:23:35 -0700 (PDT)
MIME-Version: 1.0
References: <155637241515.19889.8043108886886364414.idtracker@ietfa.amsl.com> <9a851741-c4e3-44fd-e659-91e7eec8a88a@gmail.com> <60e1d104-a484-e786-5f27-b37916db8ca6@riseup.net> <fa17715a-74a8-77f3-5310-3da10c40224c@gmail.com> <794f6a22-27f0-4652-ac88-a1dc5584e4c3@www.fastmail.com> <977f05e9-36a8-2f1b-14ed-ba4e5e4bcb69@gmail.com> <6aba3a8e-f9c8-4476-9746-3fee0e287df1@www.fastmail.com> <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com>
In-Reply-To: <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com>
Reply-To: ek@loon.com
From: Erik Kline <ek@loon.com>
Date: Tue, 07 May 2019 15:23:23 -0700
Message-ID: <CAAedzxqcdc_a9H19qRe3Cx85YSjgJbcsE50K4bHoP3MSpVkaWg@mail.gmail.com>
To: Thomas Peterson <nosretep.samoht@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f13d69058853aa24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hg3lk2m3bUxBn8GpGcv70VlbWpM>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 22:23:44 -0000
On Tue, 7 May 2019 at 14:07, Thomas Peterson <nosretep.samoht@gmail.com> wrote: > If a mechanism that facilitates certificate validation is important then > the only two options I believe we have are: > > A: Providing a host name only within the option, and expect clients to > use Do53 to resolve it, performing host name validation against the > certificate CommonName or SubjectAltName. > FWIW, this is what Android "Private DNS" does: bootstrap using network-assigned nameservers and then do the usual validation dance. If there were some URL-ish representation of DoT vs DoH then a list of UTF8 strings might suffice. B: Using IP address(es) only, with either Do53 option or this option > providing the IP addresses, in addition to a non-DNS related identifier > to facilitate certificate validation - perhaps the Serial Number, > Subject Key Identifier or some other field or a derived field of data. > Having an option with both a host name and IP addresses makes no real > sense to me. > > It seems the first option is probably the most appropriate and I should > rewrite the draft accordingly, would you agree? > > Regards > > On 06/05/2019 05:25, Martin Thomson wrote: > > So the plan is: > > > > 1. new option has > 0 entries: use those IP addresses with DoT. > > > > 2. new option has 0 entries: use the other entry, but you can use DoT > with confidence. > > > > 3. no new option: you are left guessing, but you might be stuck with > Do53. > > > > No mention here of how you get the name for certificate validation > still. That's still important. > > > > On Sat, May 4, 2019, at 02:29, Thomas Peterson wrote: > >> Thanks Martin. > >> > >> I believe there's a trade off decision between providing multiple IP > >> addresses and de-duplicating with Do53 options, offering host names, and > >> complexity. I've updated my version[0] with an attempt to solve the > >> de-duplication, one way we could implement host name support is to > >> either include another field designating the DNS server field as a > >> single host name, or mandate it be such and not have the field. > >> > >> Your opinions and those of others on the list appreciated. > >> > >> Regards > >> > >> > >> 0: > >> > https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-peterson-dot-dhcp.txt&url2=https://thpts.github.io/draft-peterson-dot-dhcp/draft-peterson-dot-dhcp.txt > >> > >> On 29/04/2019 01:50, Martin Thomson wrote: > >>> For DoT and Do53 are similar enough that they can use the same IP > address and the DoT configuration only contains a target name. There is a > problem with the first in terms of signaling that DoT is present, but that > the server will be using an IP certificate. I don't know what the answer > is there. I'd first try to see if requiring a name works. > >>> > >>> I certainly think that one name is sufficient. Multiple IP addresses > might be useful, but they can all answer to the same name (at least for the > same provisioning domain). > >>> > >>> DoH is different, and I think that your other draft is right in saying > that you just have to use Do53 (or even DoT, though why you would...) to > find the IP address for that name. > >>> > >>> > >>> On Sun, Apr 28, 2019, at 21:12, Thomas Peterson wrote: > >>>> Thank you for the feedback. > >>>> > >>>> I agree with your suggestion around having host names and pins present > >>>> in the response and I'll have a think what it might look like - > >>>> suggestions here or on Github[0] welcome. > >>>> > >>>> However I disagree that combining both DoT and DoH is appropriate - to > >>>> me they are different protocols and I am concerned around complexity > and > >>>> size limitations (particularly for DHCPv4) that would be needed. > >>>> > >>>> Regards > >>>> > >>>> > >>>> 0: https://github.com/thpts/draft-peterson-dot-dhcp > >>>> > >>>> On 2019/04/28 4:12, nusenu wrote: > >>>>> Thomas Peterson: > >>>>>> In a recent discussion in the DoH mailing list around a draft that > >>>>>> describes resolver discovery, Martin Thomson made the suggestion[0] > >>>>>> to use DHCP and RA options instead to transmit both DNS over HTTP > >>>>>> resolver addresses, but more relevant to this WG also DNS over TLS > >>>>>> endpoints as well. I have published draft-peterson-dot-dhcp, which > >>>>>> describe the relevant DHCPv4, DHCPv6, and RA options to support > >>>>>> this. > >>>>> [...] > >>>>>> 0: > >>>>>> > https://mailarchive.ietf.org/arch/msg/doh/A2YthHjFwwwpC3d0MrOm1-syH48 > >>>>> Thanks for starting this I-D. > >>>>> > >>>>> from the I-D: > >>>>>> Length: Length of the DNS Servers list in octects > >>>>>> > >>>>>> DNS Servers: One or more IPv4 addresses of DNS servers > >>>>> The I-D currently only contains IP addresses, not names as > >>>>> proposed by Martin: > >>>>> > >>>>> To quote Martin Thomson's email: > >>>>>> 2. We add a field to DHCP and RA that carries the "DoT resolver". > >>>>>> When this is present, the client resolves this name using the > >>>>>> resolver. This resolution is unsecured. The client then connects > to > >>>>>> the resulting IP address and validates the certificate it presents > >>>>>> using this name. This enables easier deployment of DoT because a > >>>>>> certificate for a name is easier to get than an IP certificate (it > >>>>>> also enables use of 1918 address and the like). > >>>>> So I'd suggest to have multiple fields: > >>>>> - IP address (optional) > >>>>> - name (for PKIX verification) (optional) > >>>>> - SPKI pins? (optional) > >>>>> > >>>>> I'd like to see a single document covering DoT and DoH > >>>>> DHCP/RA options (as Martin Thomson suggested) > >>>>> instead of two documents doing the same thing > >>>>> for each protocol separately. > >>>>> > >>>>> kind regards, > >>>>> nusenu > >>>>> > >>>>> > >>>>> > >>>> > >> > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Fwd: New Version Notification for d… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… nusenu
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Ole Troan
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] New Version Notification for dr… Martin Thomson
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Erik Kline
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Brian Haberman
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson