Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
Thomas Peterson <nosretep.samoht@gmail.com> Wed, 08 May 2019 12:54 UTC
Return-Path: <nosretep.samoht@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49C81200F6 for <dns-privacy@ietfa.amsl.com>; Wed, 8 May 2019 05:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTd5Af8CHAlX for <dns-privacy@ietfa.amsl.com>; Wed, 8 May 2019 05:54:28 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A4BF120089 for <dns-privacy@ietf.org>; Wed, 8 May 2019 05:54:28 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id n25so3122327wmk.4 for <dns-privacy@ietf.org>; Wed, 08 May 2019 05:54:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=kuHFErzftZzOWsLqxfxymuHqE7wzkU8+I7g290g1mGY=; b=RCX0oNWstG0yElz2bxC6vKN7QE5Lx2RfRjG8fovMxEoVvGK5UErHzAfu3lRcmyna/G Jke8v6yxpYciHt3r6t5jsVulsAXsEyy+GXkG+1rUE3ylUlNZ/Zsjx3IOhQDU4LiBTRUo cd8OD/QF9qRhSQ5X2XDGe74SQrzNtq4WQHd2FljW6hW9VQy71qHLwOk8XGX9Wx71BhiH VNnnrzBlXk+lF3NxboD1cCVyLLPaSNDJrKHOFf5aFVGesKCBUfc6MXsXnvGuPIaB0cQV oOrFsTOFwpy3fHgLy8PAmd6NmvFKjURXRgBm2wb/APKUOYXFAt+Puot2kQE9QdcMSrcH uk6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kuHFErzftZzOWsLqxfxymuHqE7wzkU8+I7g290g1mGY=; b=r/f3S6DKT/yKtCabofAc02XLJIHvEuDH4f7xo0XXA1asRdxlEk7k0o/MriqwhgKpW7 CBogtSFEUstAdMEVT84uItPDxrLIL8vnwvHrrspAanf2oawWYel9Qh/I2Ebt7LesHGnQ OnsP2+KfZz/zm1En5bDSrlz5M8T2CE3I/OC4sTkf67rjNPOeLPfhOkaeEjLdEgq5Jhla ryWUVO1RDYksWsNNPljPlJQtG9XBBtopzfuGoApHFU+0u1SiNBZ1k3QNE4HXXZCZOPoX yGKWh/5Rp2CMFWGr0UEAaBbh2Zh2VaVCq02Biatx2Z0Fx6SdSE+rGv3zw1pr53BjDOH9 /crA==
X-Gm-Message-State: APjAAAXV1zU1RQ05gWAd40SB+wvRIlARAlp80JkV7gm1/xrWaeyYkKKi sIs2Ea7oCFKu75/rQgpqJQFwnIbl
X-Google-Smtp-Source: APXvYqysCfAvgsOWltlOo+ueVmG53PAqQyujSXqrM+UuHf+2rbni/kNZHqzW8JUUoSsPxYG8aCc3kA==
X-Received: by 2002:a7b:ce84:: with SMTP id q4mr3090542wmj.41.1557320066287; Wed, 08 May 2019 05:54:26 -0700 (PDT)
Received: from ROADKILL.local ([62.254.187.175]) by smtp.gmail.com with ESMTPSA id f138sm2612690wmf.23.2019.05.08.05.54.24 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 08 May 2019 05:54:25 -0700 (PDT)
To: Martin Thomson <mt@lowentropy.net>
Cc: dns-privacy@ietf.org
References: <155637241515.19889.8043108886886364414.idtracker@ietfa.amsl.com> <9a851741-c4e3-44fd-e659-91e7eec8a88a@gmail.com> <60e1d104-a484-e786-5f27-b37916db8ca6@riseup.net> <fa17715a-74a8-77f3-5310-3da10c40224c@gmail.com> <794f6a22-27f0-4652-ac88-a1dc5584e4c3@www.fastmail.com> <977f05e9-36a8-2f1b-14ed-ba4e5e4bcb69@gmail.com> <6aba3a8e-f9c8-4476-9746-3fee0e287df1@www.fastmail.com> <14bd58b6-06ee-b9c3-aa61-58758b4218f7@gmail.com> <56e4efa3-0745-42c0-bd47-421d89fd7c0b@www.fastmail.com>
From: Thomas Peterson <nosretep.samoht@gmail.com>
Message-ID: <29c1e2a8-82ef-d76c-4e35-4e488a30ba6b@gmail.com>
Date: Wed, 08 May 2019 13:54:18 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Thunderbird/67.0
MIME-Version: 1.0
In-Reply-To: <56e4efa3-0745-42c0-bd47-421d89fd7c0b@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hryLjqu4HpJOq2M6jcS4dxFuiEc>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 12:54:31 -0000
Assuming that the host name must be a FQDN and not another representation (say a wildcard e.g. "*.example.com") to me it appears redundant to have both IP addresses and a host name and that having both present really only mitigates a client making a Do53 query. It also potentially permits scenarios like a network sending an option of an IP address and host name, however the host name does not actually resolve via any resolver to that IP address. It could also permit or encourage more multi-horizon DNS being deployed in networks, a subject I have generally negative views of. Perhaps what is missing that would help steer this would be a threat model around client DNS bootstrapping before we attempt to go one direction or another? Regards On 08/05/2019 01:34, Martin Thomson wrote: > On Wed, May 8, 2019, at 07:07, Thomas Peterson wrote: >> If a mechanism that facilitates certificate validation is important then >> the only two options I believe we have are: > > Yes, I believe that certificate validation is important, if not critical. As I said earlier, the process by which a DoT (or DoH) server is contacted is materially different than the network configuration process. > >> A: Providing a host name only within the option, and expect clients to >> use Do53 to resolve it, performing host name validation against the >> certificate CommonName or SubjectAltName. >> >> B: Using IP address(es) only, with either Do53 option or this option >> providing the IP addresses, in addition to a non-DNS related identifier >> to facilitate certificate validation - perhaps the Serial Number, >> Subject Key Identifier or some other field or a derived field of data. >> Having an option with both a host name and IP addresses makes no real >> sense to me. > > I want to dig into this. How do you think that hostname + IP is nonsensical? I am given a name and some candidate IP addresses for that name. The security all hangs off the name, but I need the IP addresses to make a connection. > > In a way it is not fundamentally different than your suggestion to include a serial number or SPKI. The important difference is that TLS stacks know how to deal with names and we have (elaborate) systems for ensuring that a host that claims to control a name really does. A name allows us to use all that infrastructure. >
- [dns-privacy] Fwd: New Version Notification for d… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… nusenu
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Ole Troan
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] New Version Notification for dr… Martin Thomson
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson
- Re: [dns-privacy] Fwd: New Version Notification f… Erik Kline
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson
- Re: [dns-privacy] New Version Notification for dr… Brian Haberman
- Re: [dns-privacy] Fwd: New Version Notification f… Thomas Peterson