IETF Logo Mail Archive

Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information

"John Levine" <johnl@taugh.com> Thu, 02 May 2019 20:59 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2005C1204AE for <dnsop@ietfa.amsl.com>; Thu, 2 May 2019 13:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Q15K4yUN; dkim=pass (1536-bit key) header.d=taugh.com header.b=iCYqYYkf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMkRbLQI2Vwp for <dnsop@ietfa.amsl.com>; Thu, 2 May 2019 13:59:40 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EA1D12007A for <dnsop@ietf.org>; Thu, 2 May 2019 13:59:40 -0700 (PDT)
Received: (qmail 34803 invoked from network); 2 May 2019 20:59:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=87ee.5ccb5a3b.k1905; i=johnl-iecc.com@submit.iecc.com; bh=W7IR0NM2AWpdqmXmumVerwFKBQHKMeVP0HOTOkhts+o=; b=Q15K4yUNOw5+BkDm2EzBM1HM02L5CuZcQs6GJn25X/MsEQNlgQmjjzZxKS6HXljyZSld2Sw3Ba1uKI8NWnMMHrhjtqORaV5WZ/tO6JHM/+BjpRTNXY8AwbZDq+ZiS7HWOEEAL+81BwTZ8sPc46xu+OPTrFyV+PBIeTqdQUkTVUX/jYyegRhrJKV6AZ3YLxhoua8hsseMOMjl7G1IVwLnAgyg5904T8ji8qtB5RG/SDluJC76dy1LgdIDzgVPkgxi
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=87ee.5ccb5a3b.k1905; olt=johnl-iecc.com@submit.iecc.com; bh=W7IR0NM2AWpdqmXmumVerwFKBQHKMeVP0HOTOkhts+o=; b=iCYqYYkf7mUcNYtos8cPuEFDQ9IFBSa7jzcFazCMwCie1rElcILJ1aqNELZZS+duGnT2y7JbDrB0TrhWMrvdFXzXpEY7YnfinvMn2uFIdW7Vwdz8Z0ruNEUqvd5TtGvUHFQAoBvsgDVLhQqfbBUFL7UQ7dm3U3TdgB55jpxrINDOkipiwk0I+coYzpsmwvfatjJx5tGVzo6GGUwqUwJTdcQsAaeNqsqQnSki9c+tZgfqLThjdYhZh7kGHo2fUVQs
Received: from ary.qy ([64.246.232.221]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 02 May 2019 20:59:38 -0000
Received: by ary.qy (Postfix, from userid 501) id 604982013404D1; Thu, 2 May 2019 16:59:38 -0400 (EDT)
Date: Thu, 02 May 2019 16:59:38 -0400
Message-Id: <20190502205938.604982013404D1@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul.hoffman@icann.org
In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7RYX_87ZY7c_9vsfq4AcpWz6cfw>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 20:59:42 -0000

In article <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> you write:
>        Title           : DNS Resolver Information Self-publication
>        Authors         : Puneet Sood
>                          Roy Arends
>                          Paul Hoffman
>	Filename        : draft-sah-resolver-information-00.txt
>	Pages           : 9
>	Date            : 2019-04-30  ]]

Having now read it, I sympathize with its goals, but it's two separate
things lashed together.  One is sort of the 21st century version of
the old CH version.bind hack, ask the server a special funky question
and it tells you about itself.  The other is a well-known URL on a web
server at the same IP address as the DNS cache.

Both have issues -- the DNS approach is a dns-camel hack and there's
no obvious way to sign or secure it.  The web page is straightforward
give or take practical issues of running a web server on the same IP
as a DNS cache, and that getting a signed SSL certificate for an IP
can be from moderately to extremely painful depending on your budget,
the difficulty of doing an OV validation on your organization, and
your relationship with the RIR contact for your IP address.

I believe that DoT and DoH have the same certificate issues as the web
server.  I suppose you could find your DoH server by name, but if you
can do that, you could equally well find your DoT or .well-known
server by name and define the problem out of existence.

My inclination would be to put this on hold and advance the web server
part if ACME adds a way to do IP address certs.  I don't see any
reason to prefer DoH or DoT over .well-known, since it uses same TLS
channel and has a much simpler encoding of the content.

v2.23.0 | Report a Bug | By Email