Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Tony Finch <dot@dotat.at> Tue, 21 August 2018 11:33 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B30C2130EF6 for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 04:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csszyhYDwIeg for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 04:33:12 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AE67130EDE for <dnsop@ietf.org>; Tue, 21 Aug 2018 04:33:12 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:55234) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fs4uH-000B1g-fb (Exim 4.91) (return-path <dot@dotat.at>); Tue, 21 Aug 2018 12:33:05 +0100
Date: Tue, 21 Aug 2018 12:33:05 +0100
From: Tony Finch <dot@dotat.at>
To: Tom Pusateri <pusateri@bangj.com>
cc: Ted Lemon <mellon@fugue.com>, Paul Ebersman <list-dnsop@dragon.net>, Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>
In-Reply-To: <252FC541-311D-4892-9F0D-B0D7BB2EEC2A@bangj.com>
Message-ID: <alpine.DEB.2.20.1808211229280.3596@grey.csi.cam.ac.uk>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <20180821014030.C2678AD6354@fafnir.remote.dragon.net> <922DCF48-BA8A-42B8-99BA-2B367D981568@bangj.com> <5B7B7718.7090301@redbarn.org> <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com> <CAPt1N1k=xnSiF_DQXz6OS=MdRe5YHbL0CgXHAUdgWgH4vdBDMA@mail.gmail.com> <DA13BC82-2308-4B28-B86B-A52D678A1BFD@bangj.com> <252FC541-311D-4892-9F0D-B0D7BB2EEC2A@bangj.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A3cVtnD59siS_XhNrf4fP-bcCkg>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 11:33:14 -0000

Tom Pusateri <pusateri@bangj.com> wrote:

> Come to think of it, DNSSEC validation in the stub resolver or browser
> is really a place DoH could shine. Instead of all the round trips
> required for validating up (down) the chain,

With DNS to a recursive server (UDP, TCP, or TLS) as currently deployed,
you only need 1 round trip in simple cases or 2 round trips if there's a
CNAME or SRV (etc.) because you know ahead of time all the queries you
need to make to get the validation chain and they can trivially be
pipelined.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
individual and social justice