IETF Logo Mail Archive

Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt

Thomas Peterson <nosretep.samoht@gmail.com> Wed, 08 May 2019 12:54 UTC

Return-Path: <nosretep.samoht@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49C81200F6 for <dns-privacy@ietfa.amsl.com>; Wed, 8 May 2019 05:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTd5Af8CHAlX for <dns-privacy@ietfa.amsl.com>; Wed, 8 May 2019 05:54:28 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A4BF120089 for <dns-privacy@ietf.org>; Wed, 8 May 2019 05:54:28 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id n25so3122327wmk.4 for <dns-privacy@ietf.org>; Wed, 08 May 2019 05:54:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=kuHFErzftZzOWsLqxfxymuHqE7wzkU8+I7g290g1mGY=; b=RCX0oNWstG0yElz2bxC6vKN7QE5Lx2RfRjG8fovMxEoVvGK5UErHzAfu3lRcmyna/G Jke8v6yxpYciHt3r6t5jsVulsAXsEyy+GXkG+1rUE3ylUlNZ/Zsjx3IOhQDU4LiBTRUo cd8OD/QF9qRhSQ5X2XDGe74SQrzNtq4WQHd2FljW6hW9VQy71qHLwOk8XGX9Wx71BhiH VNnnrzBlXk+lF3NxboD1cCVyLLPaSNDJrKHOFf5aFVGesKCBUfc6MXsXnvGuPIaB0cQV oOrFsTOFwpy3fHgLy8PAmd6NmvFKjURXRgBm2wb/APKUOYXFAt+Puot2kQE9QdcMSrcH uk6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kuHFErzftZzOWsLqxfxymuHqE7wzkU8+I7g290g1mGY=; b=r/f3S6DKT/yKtCabofAc02XLJIHvEuDH4f7xo0XXA1asRdxlEk7k0o/MriqwhgKpW7 CBogtSFEUstAdMEVT84uItPDxrLIL8vnwvHrrspAanf2oawWYel9Qh/I2Ebt7LesHGnQ OnsP2+KfZz/zm1En5bDSrlz5M8T2CE3I/OC4sTkf67rjNPOeLPfhOkaeEjLdEgq5Jhla ryWUVO1RDYksWsNNPljPlJQtG9XBBtopzfuGoApHFU+0u1SiNBZ1k3QNE4HXXZCZOPoX yGKWh/5Rp2CMFWGr0UEAaBbh2Zh2VaVCq02Biatx2Z0Fx6SdSE+rGv3zw1pr53BjDOH9 /crA==
X-Gm-Message-State: APjAAAXV1zU1RQ05gWAd40SB+wvRIlARAlp80JkV7gm1/xrWaeyYkKKi sIs2Ea7oCFKu75/rQgpqJQFwnIbl
X-Google-Smtp-Source: APXvYqysCfAvgsOWltlOo+ueVmG53PAqQyujSXqrM+UuHf+2rbni/kNZHqzW8JUUoSsPxYG8aCc3kA==
X-Received: by 2002:a7b:ce84:: with SMTP id q4mr3090542wmj.41.1557320066287; Wed, 08 May 2019 05:54:26 -0700 (PDT)
Received: from ROADKILL.local ([62.254.187.175]) by smtp.gmail.com with ESMTPSA id f138sm2612690wmf.23.2019.05.08.05.54.24 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 08 May 2019 05:54:25 -0700 (PDT)
To: Martin Thomson <mt@lowentropy.net>
Cc: dns-privacy@ietf.org
References: <155637241515.19889.8043108886886364414.idtracker@ietfa.amsl.com> <9a851741-c4e3-44fd-e659-91e7eec8a88a@gmail.com> <60e1d104-a484-e786-5f27-b37916db8ca6@riseup.net> <fa17715a-74a8-77f3-5310-3da10c40224c@gmail.com> <794f6a22-27f0-4652-ac88-a1dc5584e4c3@www.fastmail.com> <977f05e9-36a8-2f1b-14ed-ba4e5e4bcb69@gmail.com> <6aba3a8e-f9c8-4476-9746-3fee0e287df1@www.fastmail.com> <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com> <56e4efa3-0745-42c0-bd47-421d89fd7c0b@www.fastmail.com>
From: Thomas Peterson <nosretep.samoht@gmail.com>
Message-ID: <29c1e2a8-82ef-d76c-4e35-4e488a30ba6b@gmail.com>
Date: Wed, 08 May 2019 13:54:18 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Thunderbird/67.0
MIME-Version: 1.0
In-Reply-To: <56e4efa3-0745-42c0-bd47-421d89fd7c0b@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hryLjqu4HpJOq2M6jcS4dxFuiEc>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 12:54:31 -0000

Assuming that the host name must be a FQDN and not another 
representation (say a wildcard e.g. "*.example.com") to me it appears 
redundant to have both IP addresses and a host name and that having both 
present really only mitigates a client making a Do53 query. It also 
potentially permits scenarios like a network sending an option of an IP 
address and host name, however the host name does not actually resolve 
via any resolver to that IP address. It could also permit or encourage 
more multi-horizon DNS being deployed in networks, a subject I have 
generally negative views of.

Perhaps what is missing that would help steer this would be a threat 
model around client DNS bootstrapping before we attempt to go one 
direction or another?

Regards

On 08/05/2019 01:34, Martin Thomson wrote:
> On Wed, May 8, 2019, at 07:07, Thomas Peterson wrote:
>> If a mechanism that facilitates certificate validation is important then
>> the only two options I believe we have are:
> 
> Yes, I believe that certificate validation is important, if not critical.  As I said earlier, the process by which a DoT (or DoH) server is contacted is materially different than the network configuration process.
> 
>> A: Providing a host name only within the option, and expect clients to
>> use Do53 to resolve it, performing host name validation against the
>> certificate CommonName or SubjectAltName.
>>
>> B: Using IP address(es) only, with either Do53 option or this option
>> providing the IP addresses, in addition to a non-DNS related identifier
>> to facilitate certificate validation - perhaps the Serial Number,
>> Subject Key Identifier or some other field or a derived field of data.
>> Having an option with both a host name and IP addresses makes no real
>> sense to me.
> 
> I want to dig into this.  How do you think that hostname + IP is nonsensical?  I am given a name and some candidate IP addresses for that name.  The security all hangs off the name, but I need the IP addresses to make a connection.
> 
> In a way it is not fundamentally different than your suggestion to include a serial number or SPKI.  The important difference is that TLS stacks know how to deal with names and we have (elaborate) systems for ensuring that a host that claims to control a name really does.  A name allows us to use all that infrastructure.
>

v2.23.0 | Report a Bug | By Email