IETF Logo Mail Archive

[dns-privacy] Discovery of DNS over (not 53) and ALPN

Ted Hardie <ted.ietf@gmail.com> Fri, 13 December 2019 13:53 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828A512011D for <dns-privacy@ietfa.amsl.com>; Fri, 13 Dec 2019 05:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfTGkqHagJAM for <dns-privacy@ietfa.amsl.com>; Fri, 13 Dec 2019 05:53:46 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF061200EC for <dns-privacy@ietf.org>; Fri, 13 Dec 2019 05:53:46 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id c16so2443464ioh.6 for <dns-privacy@ietf.org>; Fri, 13 Dec 2019 05:53:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=aKBf+qH90icXBB8sw9k8qyR4S8tFb9fA5K022OFMqtA=; b=ShH9n0Xmm4InMuNxqNeaRIuGUc9YH81UV3n7opiaXIOZdbfV7q9SpunoyIMmQSZ7Fc F7GgtTxg0tXT4HHqSvymglGtjFRmtzkcWOs47NNMTKkANEi944yHK3nGwOZUSp1SEzWZ ZpTAbe0VGNezmJIheFreZIBT+G7DaqOFPxxTZWtFL0UbU9hRThAPe510Hvl72wwCi1w5 ZRW60THIQjq5nqrT6J8x0soXlG6o5fJjnm5xB157ynkQSVKUOzWDCIZFpdIDRW4hTigL FMvy5kQJ37pHS1q75MkjrtsYc1XBRAT+b1mwohzHGb4idnlkIA2fgj4FoN7q8DGiumE1 LDGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=aKBf+qH90icXBB8sw9k8qyR4S8tFb9fA5K022OFMqtA=; b=NbXpqv5xxc/tu34TrilgTXl0TnvAeusSy8ItI4uAktprB7WHCDyYubdZir0ezhCDSx AXJqvLgoy6yIZ3ibB1x5ObBiZllQs279UPHEQkKGZYsmDjl7v7RP4PooMJmo1dEbux4o fJmSFYyZkljW7qnoZzpe2w2wNbKEvLAQl+0W4Wl7IkjghJEAJP5ZsT6k4ph6QMhtbdf6 43JtoLTi/DDQqCr/zyuq68sqTw1QR9CizeW52ovSLWDWJUtVhS3n4taLK9wd5QMthnBh fzTMFmRtFhadzOXHLE2fw0XpfcpjsgmHzF5MBGOSXs8kOXl1oiRliRM92Ow5qS4BFgyy yJvg==
X-Gm-Message-State: APjAAAW8cGlfXpNr7OfXRzbcuyiZDyIza9g/rm54BnGlLpy5XiEgHyIj ABNhsDj+NZjI1AWzdEgQaNwULdJqs5agZ4ayJEyuPurOJqw=
X-Google-Smtp-Source: APXvYqxbwcDXk7sUjMc/J+RAJVseLWbR8g4X1u7LF3AtzQOkcjdUzq0aNwW0YkTSE39xS7CHRvDAURyf+DOv3ipmWVE=
X-Received: by 2002:a02:6957:: with SMTP id e84mr12445189jac.11.1576245224843; Fri, 13 Dec 2019 05:53:44 -0800 (PST)
MIME-Version: 1.0
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 13 Dec 2019 13:53:18 +0000
Message-ID: <CA+9kkMAmsK746ViRb9tXkJX+t_paOGpWCN3i78WK_t86bLGUnQ@mail.gmail.com>
To: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b4b1940599963050"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/nWLod8jWofxkqPnody2CPKPxxb0>
Subject: [dns-privacy] Discovery of DNS over (not 53) and ALPN
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 13:53:48 -0000

So this came up in an another thread, but it probably needs a separate
topic.

The point being made was:

We really need to figure out how to do DoWhatever discovery, preferably
> better than probe ports on the same IP as the port 53 server.
>

I think one critical question is how discovery of DoT and DoH (and later
entrants)  servers is related to the discovery of port 53 servers.  One
possibility here, if we do define ALPN tokens for each of these, is to
combine that token with the base discovery methods.  So, DHCPv4 Option 6
(or DHCPv6 option 23) gives you the IP address of the server, and a new
DNS-ALPN option code gives you the ALPN(s), from which you derive the port.

If the DNS-ALPN option code is absent, go to port 53.  If there is one
present, it is a list, like the ALPN next protocol list, of the tokens
corresponding to the list the server supports.  This implies that you would
need an ALPN token for DoT port 853 to be available and distinct from DoT
port 443.

Router advertisements are a little trickier.  If someone is currently using
RFC 8106 style advertisements, I think it would be cleaner to have those
still present and a new option for DNS-over-not-53 options.  That could
still leverage the ALPN list as a way of making that a single option
(rather than a bunch of separate announcements).

There are clearly operational environments that wouldn't follow this (those
that use the URI template in RFC 8484, for example), but something that
allows you to signal them together does seem useful.

Note that this approach means that if you have a client that supports DNS
over 53 and doesn't understand the ALPN token in the new option, you can
run into a corner case.  If the network does not support DNS over 53, the
client will fail to see the alternatives to port 53.  It would then have to
interpret an ICMP destination unreachable (presuming that gets through).

I'm not an expert on either DHCP or RA, of course, so I may have this wrong
way around.

regards,

Ted

v2.23.0 | Report a Bug | By Email