MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
In-Reply-To: <alpine.OSX.2.11.1607131038580.59935@ary.lan>
References: <e5c97630-a11f-0c93-8f4b-482764c85f71@gmail.com>
 <20160711235005.29302.qmail@ary.lan>
 <20160712221041.783a2b04@pallas.home.time-travellers.org>
 <alpine.DEB.2.11.1607131058310.8225@grey.csi.cam.ac.uk>
 <CAL9jLaZ0Yc1bUzixccw7S1tP+21XCHoaqNPjvdeNQ2ERkqqe1A@mail.gmail.com>
 <alpine.OSX.2.11.1607131038580.59935@ary.lan>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Wed, 13 Jul 2016 22:27:35 +0100
Message-ID: <CAL9jLaaD1_MBFeevUc9djteRWwMG69_wyU=0zOzCPTcEqa3JeQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary=001a11475b5cd7a96a05378b0d3d
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0rh1nR3W_w-IAwLdGZ7yfdbFBnU>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] JavaScript use case for DNS-over-HTTP (was Call for
 Adoption: draft-song-dns-wireformat-http)
Precedence: list

--001a11475b5cd7a96a05378b0d3d
Content-Type: text/plain; charset=UTF-8

On Wed, Jul 13, 2016 at 3:42 PM, John R Levine <johnl@taugh.com> wrote:

> why all that complexity? if some remote device (iot thingy) wants 'dns over
>> http' why would it not (as a first order answer) just ask
>> /cgi-bin/dnslookup for 'srv:foo.com' ? (returned answer in txt, json,
>> etc...)
>>
>> why bother with a bunch of javascript tomfoolery?
>>
>
> Security in IoT is close to an oxymoron, but my device would like to check
> the signature before trusting what your proxy says.
>
>
ok, I'm sure your device has some agreement with the cooperating http(s)
server though, right? it can get the text / bas64 rrsig content just as
easily as if it were doing udp/dns. (it should probably also check ssl
certificates/etc to make sure traffic did not get wonked in flight)

--001a11475b5cd7a96a05378b0d3d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Wed, Jul 13, 2016 at 3:42 PM, John R Levine <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:johnl@taugh.com" target=3D"_blank">johnl@taugh.com</a>&gt;<=
/span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D""><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex">
why all that complexity? if some remote device (iot thingy) wants &#39;dns =
over<br>
http&#39; why would it not (as a first order answer) just ask<br>
/cgi-bin/dnslookup for &#39;srv:<a href=3D"http://foo.com" rel=3D"noreferre=
r" target=3D"_blank">foo.com</a>&#39; ? (returned answer in txt, json,<br>
etc...)<br>
<br>
why bother with a bunch of javascript tomfoolery?<br>
</blockquote>
<br></span>
Security in IoT is close to an oxymoron, but my device would like to check =
the signature before trusting what your proxy says.<br>
<br></blockquote><div><br></div><div>ok, I&#39;m sure your device has some =
agreement with the cooperating http(s) server though, right? it can get the=
 text / bas64 rrsig content just as easily as if it were doing udp/dns. (it=
 should probably also check ssl certificates/etc to make sure traffic did n=
ot get wonked in flight)</div><div>=C2=A0</div></div></div></div>

--001a11475b5cd7a96a05378b0d3d--