Re: [DNSOP] Draft for dynamic discovery of secure resolvers

"John Levine" <johnl@taugh.com> Sat, 18 August 2018 22:00 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0942130F18 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 15:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KSaG7X55UjD for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 15:00:30 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8ECF130F24 for <dnsop@ietf.org>; Sat, 18 Aug 2018 15:00:26 -0700 (PDT)
Received: (qmail 37748 invoked from network); 18 Aug 2018 22:00:25 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 18 Aug 2018 22:00:25 -0000
Received: by ary.qy (Postfix, from userid 501) id E56F62003AEADE; Sat, 18 Aug 2018 18:00:24 -0400 (EDT)
Date: 18 Aug 2018 18:00:24 -0400
Message-Id: <20180818220024.E56F62003AEADE@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@redbarn.org
In-Reply-To: <5B7893C9.7000703@redbarn.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4xiCLKn56pc0LrJ7l6JoXIgnQY4>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2018 22:00:32 -0000

In article <5B7893C9.7000703@redbarn.org> you write:
> it is in other words a thin DNS-only way to do what Tor does.

Considering what we know about Tor, that is not encouraging.

It seems to me that that most likely scenario for DoH is in javascript
apps that need to look up something other than an A record (SRV
perhaps) so the most likely DoH server is the one that the javascript
came from.  No fancy configuation needed for that.

R's,
John