Re: [dns-privacy] FW: New Version Notification for draft-mglt-dprive-dns-uri-00.txt
Daniel Migault <mglt.ietf@gmail.com> Thu, 19 March 2020 20:14 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496873A0EA7 for <dns-privacy@ietfa.amsl.com>; Thu, 19 Mar 2020 13:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BW6X-xM8Yz0N for <dns-privacy@ietfa.amsl.com>; Thu, 19 Mar 2020 13:14:47 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76DCF3A0EA2 for <dprive@ietf.org>; Thu, 19 Mar 2020 13:14:47 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id g21so1340307uaj.1 for <dprive@ietf.org>; Thu, 19 Mar 2020 13:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tBqUz1rbMApSVPsvBTmbYy4509a0UTKiSEuI58wgqy8=; b=Wj3dbPtfq1EKsMR0ura2Qktvlld5gb7UEYb4W5CGvKh069AFS6ANUovy2trpxxNc+f jg4VvN59CSo1j+MaQvcBudEU4GohOW4UNdkALDgNYPTb6/jjhUHWfuAixpsTFo55UV8G Z9L2WvdcFTwss+RTWh3n8oxzp/BbGDAjNCPVbFXx65jRVoLtTxiLkDftbOzhmxGVYk+Z WRqnO0ydMSCCwD9jgKMVu4d0wOupzX0eELwlWr7ZqZjsmG7GFGOfR2w9ey4gd0p/Ec3U onIb5ANP27kNpYKisshP1TKfTTTTDKtxA+NyluCHqVizeCOvWqsBQTe6UG9+Bl9E84LA hmOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tBqUz1rbMApSVPsvBTmbYy4509a0UTKiSEuI58wgqy8=; b=mAaK5iGjvioOWtjdQ4kqh/zGDvmOmcQkAMlplU3/ojvSCyYPOMx2Dat4CmyASlo5gp IAqpqa+0h49Y/f6XjDB+vBAgJUMGN8HoM+oE40COXmMbGVWq1ZMwLtDE/OyagPX1D3K6 TFl38xXLTvMq48ipqi1QgqsehD2fXBYo25xHs3KDaXUAYma9ZjOlKgRUh9aeXXVFIA0Y 2HSvZ+JEFqMh76ktAimtuvio4RiHpXqtRkpmQoX3eP2gBnnuJv7N8hVp+1CD57ZFsgVP 3CPTs09tqZMqZlYdePaTB4FSim34GDk5By4bMX4tcqnDwPH065qfk7V00+WvkOuB8BZW WCYQ==
X-Gm-Message-State: ANhLgQ14cSY1I+HGKe6dccdU1Tkuck/0mPC2OCQUtC6+IZLqfF67GlRi 7m4X2ivEqcegRw9n2UPUuUYtn9cCsF809kFlVV8=
X-Google-Smtp-Source: ADFU+vvVT/w7ExZWzLxBg7E31i7BFhZV+6j+dec1sbbhMdKCbS7IXm3uUH7uM1WtjqsDrOHk7JJ2A4lqMVxCnPKkjeQ=
X-Received: by 2002:ab0:21ce:: with SMTP id u14mr3275140uan.23.1584648885570; Thu, 19 Mar 2020 13:14:45 -0700 (PDT)
MIME-Version: 1.0
References: <158458660793.29426.18157657564263370854@ietfa.amsl.com> <SN6PR15MB2302088989EF9CC17A587E6AE3F40@SN6PR15MB2302.namprd15.prod.outlook.com> <CA+9kkMDtEMxzqO6nBoLKhjf4123uwo1a-dE29z4Tqq+q25Ax6A@mail.gmail.com> <CADZyTkmwY4w=tA0xZPCcBvx87ryMiujzD4B1eaAoVzZM-r0u4w@mail.gmail.com> <CA+9kkMDWLNSpXADZbn4YXS6fR6FQ_rL90rfKwqDofHE7Q+3nSA@mail.gmail.com>
In-Reply-To: <CA+9kkMDWLNSpXADZbn4YXS6fR6FQ_rL90rfKwqDofHE7Q+3nSA@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 19 Mar 2020 16:14:34 -0400
Message-ID: <CADZyTkkk-uYXN1MZ3eSu=pJ-pvJAefzDvs_LLq5fn=qW=yziBA@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eb106705a13ad133"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/r__HlGigJ4KmDOqmX9j8xRVo3HM>
Subject: Re: [dns-privacy] FW: New Version Notification for draft-mglt-dprive-dns-uri-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 20:14:53 -0000
On Thu, Mar 19, 2020 at 2:49 PM Ted Hardie <ted.ietf@gmail.com> wrote: > Hi Daniel, > > On Thu, Mar 19, 2020 at 11:16 AM Daniel Migault <mglt.ietf@gmail.com> > wrote: > >> Hi Ted, >> >> >> >> Thanks for the feed back. The dns uri scheme has the port optional and >> provides port flexibility. >> > > I believe the port is optional to include in any URI, but I believe > support for a port is mandatory to implement. Are you aware of > implementations that don't implement it? > > If we are using the port as an indication of the transport protocol, we >> are losing this flexibility. A consequence is that is it would prevent >> using other ports than non standard port. >> > > I think it means there's a different trade-off. If you use an existing > port in a non-standard way, this will fail (and that's pretty correct > behavior in the face of squatting). > I agree. If you use a non-standard port, you can use this mechanism to specify the > port. The client would then need to attempt the connections with its > preferred mechanism (for the TLS ones, using ALPN) and then decide whether > to fall back to less-preferred methods if those are not available. I would > strongly urge that preference go from most confidential transport to less > confidential transports, but that would ultimately be a client decision. > This is correct that try and error could be use, but I would have prefer to avoid this. If the client is not able to specify explicitly the transport, I have the impression the choice will be left to the resolver. Typically, the resolver could downgrade to DNS53 without the client being able to enforce DoT or DoH is needed. Typically, resolver.com may abort the TLS session and downgrade to DNS53. On a performance point of view it may end up in multiple TLS session (1 per server if alpn is supported, many more otherwise). On a privacy point of view, it might force the client to leak its preference, which might be an issue in some case. I would prefer if possible the client not top go through this discover step. > At least from my point of view, what you appear to want is configuration > protocol, but neither what you specified nor the original is a DNS client > configuration protocol. They primarily provide a reference to specific > resource record data in the DNS, and this form: > > dns:www.example.com?clAsS=IN;tYpE=A > > looks like it ought to be the most common; it tells you the reference to a > specific RR, without requiring you to get it from anywhere in particular. > That works with whatever resolver you have configured, at least in the > common case. > This is correct that the the dns scheme is focused on the DNS data with little care on how the data is retrieved. The reason I though of using different schemes was similar to have the https scheme versus the http scheme. On one hand, I believe the current dns scheme is not sufficient, on the other hand, I may go a bit to far and agree that we might be too close to a configuration. > > The extended forms, which name or provide an address for a specific > resolver are useful (e.g. for split DNS), but I think creating a bunch of > different URI schemes to extend that to specify a protocol is more harmful > than helpful, as you then have an equivalence problem. Are > dot://server.example:2836/:www.example.com?clAsS=IN;tYpE=A and dns: > www.example.com?clAsS=IN;tYpE=A presumed to be equivalent or not? > > I agree there will be some overlap. What that suggests is, if you really believe the trade-off to focus on > specific servers and non-standard ports is critical, that you should mint a > single URI scheme for the purpose, with a mandatory paramater that lists > the transports . I would personally still feel that was heading this in > the wrong direction, > When you propose a single uri scheme, would the single uri scheme be dns or should we use a different one like dnss for example (following https) ? Would that scheme reserved for dns on non standard port ? In both cases, I still see some overlap with the dns scheme. That said, I understand, the creation of another scheme to provides a hint on the transport is not moving in the right direction. It is unclear to me why this woudl not be recommended and, just for my personal comprehension, how dns versus (dnss or dots) would differ from http versus https. > but it would avoid some of the worst questions about equivalence. > > regards, > > Ted > > > >> My impression also is that some people are willing to deploy DoT or DoH >> on non standard port, thought I might wrong. >> >> >> >> For DoH, my understanding is that URI is formed according to the URI >> template. I think that being able to provide the path could be useful >> especially when different paths will be associated to different service. >> Maybe additional element may also be useful to add. I do not think the >> current dns scheme enables this and I would be happy to have your thoughts >> on it as I am not particularly familiar with uri template. >> >> >> >> Basically using the old dns uri, this would be something like: >> >> dns://host.example:443/dns-with-parental-protection/ >> www.example.org?clAsS=IN;tYpE=A >> >> dns://host.example:443/dns-without-filtering/ >> www.example.org?clAsS=IN;tYpE=A >> >> >> >> Yours, >> >> Daniel >> >> On Thu, Mar 19, 2020 at 1:44 PM Ted Hardie <ted.ietf@gmail.com> wrote: >> >>> Hi Daniel, >>> >>> I'm not sure I understand the need here. The existing DNS URI scheme >>> uses the standard authority semantics, so it permits a port. It seems >>> like using that gives you the same semantics as these additional schemes. >>> That is: >>> >>> dns://host.example:53/www.example.org.?clAsS=IN;tYpE=A >>> >>> dns://host.example:853/www.example.org.?clAsS=IN;tYpE=A >>> >>> dns://host.example:443/www.example.org.?clAsS=IN;tYpE=A >>> >>> seem to handle the cases where you need to specifically call out DNS is >>> being served over traditional transports (UDP and TCP over 53), DoT, and >>> DoH. >>> >>> What am I missing here? >>> >>> thanks, >>> >>> Ted >>> >>> On Thu, Mar 19, 2020 at 9:52 AM Daniel Migault <daniel.migault= >>> 40ericsson.com@dmarc.ietf.org> wrote: >>> >>>> Hi, >>>> >>>> Please find a draft describes URIs that describes the DNS resource >>>> being accessed through DNS53, DoT and DoH. >>>> >>>> Any comment / suggestions are welcome. >>>> >>>> Yours, >>>> Daniel >>>> >>>> -----Original Message----- >>>> From: internet-drafts@ietf.org <internet-drafts@ietf.org> >>>> Sent: mercredi 18 mars 2020 22:57 >>>> To: Daniel Migault <daniel.migault@ericsson.com> >>>> Subject: New Version Notification for draft-mglt-dprive-dns-uri-00.txt >>>> >>>> >>>> A new version of I-D, draft-mglt-dprive-dns-uri-00.txt has been >>>> successfully submitted by Daniel Migault and posted to the IETF repository. >>>> >>>> Name: draft-mglt-dprive-dns-uri >>>> Revision: 00 >>>> Title: Domain Name System Uniform Resource Identifiers for DNS >>>> over HTTPS and DNS over TLS >>>> Document date: 2020-03-18 >>>> Group: Individual Submission >>>> Pages: 7 >>>> URL: >>>> https://www.ietf.org/internet-drafts/draft-mglt-dprive-dns-uri-00.txt >>>> Status: >>>> https://datatracker.ietf.org/doc/draft-mglt-dprive-dns-uri/ >>>> Htmlized: >>>> https://tools.ietf.org/html/draft-mglt-dprive-dns-uri-00 >>>> Htmlized: >>>> https://datatracker.ietf.org/doc/html/draft-mglt-dprive-dns-uri >>>> >>>> >>>> Abstract: >>>> Today DNS resources may also be accessed using multiple transport >>>> which includes DNS over UDP/TCP port 53 [RFC1034],[RFC1035]. DNS >>>> over TLS [RFC7858] or DNS over HTTPS [RFC8484]. This document >>>> describes URIs that describes the DNS resource as well as indicate >>>> the transport to access the resource. >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>> submission until the htmlized version and diff are available at >>>> tools.ietf.org. >>>> >>>> The IETF Secretariat >>>> >>>> >>>> _______________________________________________ >>>> dns-privacy mailing list >>>> dns-privacy@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dns-privacy >>>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-privacy@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >>> >> >> >> -- >> Daniel Migault >> Ericsson >> > -- Daniel Migault Ericsson
- [dns-privacy] FW: New Version Notification for dr… Daniel Migault
- Re: [dns-privacy] FW: New Version Notification fo… Ted Hardie
- Re: [dns-privacy] FW: New Version Notification fo… Daniel Migault
- Re: [dns-privacy] FW: New Version Notification fo… Ted Hardie
- Re: [dns-privacy] [Ext] FW: New Version Notificat… Paul Hoffman
- Re: [dns-privacy] FW: New Version Notification fo… Daniel Migault
- Re: [dns-privacy] [Ext] FW: New Version Notificat… Daniel Migault
- Re: [dns-privacy] [Ext] FW: New Version Notificat… Paul Hoffman
- Re: [dns-privacy] [Ext] FW: New Version Notificat… Daniel Migault