Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Ted Hardie <ted.ietf@gmail.com> Mon, 11 March 2019 18:31 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635A512426A; Mon, 11 Mar 2019 11:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDKICxcMeTZ1; Mon, 11 Mar 2019 11:31:19 -0700 (PDT)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E788912008A; Mon, 11 Mar 2019 11:31:18 -0700 (PDT)
Received: by mail-it1-x132.google.com with SMTP id x189so244534itd.3; Mon, 11 Mar 2019 11:31:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hWGZlDLKR9JKzQMJ70ShZyTWab3KvsS0TXowASobETc=; b=jakMVrJ6am05CGh1aCEAQsyZhwbFerrkb3cER2tJ2EVALT1A8CGYwrc+9SAlBE+gSu AvhBISUMrD5BdSU3eVFA8YNF8dTw1E2o90JGr5TX5ZqVJPq+RwAG6qoMiiJa/yjTnEJU 7PNSzpyPDX/wTO3yasl4gPA026PPlWaKI/eLRYVaCj2b0eO05rq30vypyeqn/uImx+YU ijovNpfXC30oeexa3iTrxPn12HoXhV+9TmfMjJMlnF4+MPEFkXeSR8MFFWM8mGNHQJ85 GCq3hfpIwayD98HbToDUyurLoCJOe9rz7sWntB5SI/i4ZdBQ4fGG6Awr50de4o/j2iQ7 jV4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hWGZlDLKR9JKzQMJ70ShZyTWab3KvsS0TXowASobETc=; b=U3RAU1En0c38OdyZq9EY6v++1BOKJEHlJtBPxT6ilZvg5qlW9njgdIOD3JT5wR5eAR 7cazPegzgKQ68jQse0+ulrgxZuiYvRfZ5W165N35Nw7RQnUHrv1+itLcOvY1xVwfsmvD 14FJWjfRXPUMy/ADcLziOK4kjVbQVe2/QIXf7XVEvRXZhunf8f8AymnO5Cs3PmPIp81/ KcWu2EL2mj8JQpRpb3Kl031SaGoDJtJUch+Sa76urMQt1lqf95/1PNxPg3aHrOd3/Zan iZmSCLHiHOZH3gHk6czdvO98CM85JGlGff8VIhXyQllT/JwoYoMgD8e0wWX4GhczqxoA OQDg==
X-Gm-Message-State: APjAAAXoBwi+SYQnNE7k8/gq0ZgQnKpWM9SuezB1wBrHinx6DGqBWAh2 D3PNCRT56okiww/NOoLsgbVTnIoYFyDm7R6gFQcWLxP/
X-Google-Smtp-Source: APXvYqxTGk30btX/QmYMz1FoCgDjUcyoDBUDkMaYCOctcMGjyuhuXE6IUtDyyCuNicCM9n/AAxfoTjn1Vh5+jk+qbnM=
X-Received: by 2002:a24:1745:: with SMTP id 66mr106131ith.96.1552329078109; Mon, 11 Mar 2019 11:31:18 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <FACB852B-4BC4-4234-A728-9068708EFB10@rfc1035.com> <CAHw9_iKc5_i+rC-oOe3RJufFe_Jm3GmTN4UbQ6VLpcqodR8d9g@mail.gmail.com> <8855871d-c059-3938-12a1-62f21c089e1d@redbarn.org> <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com> <5456b9d9-844f-f410-3935-2b2d3ae22745@redbarn.org>
In-Reply-To: <5456b9d9-844f-f410-3935-2b2d3ae22745@redbarn.org>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Mon, 11 Mar 2019 11:30:51 -0700
Message-ID: <CA+9kkMDo54N=DoL1HAQoMYSe1jrexXXrA3ZXkkve0CJ2-bvd4Q@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Warren Kumari <warren@kumari.net>, Jim Reid <jim@rfc1035.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000467e0c0583d5c7df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-MXJUt-nw-eOZ-Q-Au0GwM-iPjI>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:31:20 -0000

On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie <paul@redbarn.org>; wrote:

>
> DoH will moot that approach.
>

Any system that actually checks the credentials presented by the responding
server will also moot that approach.  Given how easy it is to pin
credential characteristics in applications distributed as binaries, this
seems to mean that your method will either continue to permit applications
other than browsers to use their own resolution systems or it will hard
fail all such applications it can identify.  No pass through will work, as
far as I can tell, in that scenario.

Perhaps, though, I am missing something about your intent.

Ted Hardie



-- 
> P Vixie
>
>