Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Tom Pusateri <pusateri@bangj.com> Tue, 21 August 2018 00:47 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED5DB130E4C for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 17:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjzHUpm7cm4L for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 17:47:58 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA554130E48 for <dnsop@ietf.org>; Mon, 20 Aug 2018 17:47:57 -0700 (PDT)
Received: from [172.16.10.126] (unknown [107.13.224.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 1B77E206E; Mon, 20 Aug 2018 20:43:56 -0400 (EDT)
From: Tom Pusateri <pusateri@bangj.com>
Message-Id: <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_874D0486-B3E7-44A1-BB9C-F2209B6E111E"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 20 Aug 2018 20:47:55 -0400
In-Reply-To: <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk>
Cc: =?utf-8?Q?Marek_Vavru=C5=A1a?= <mvavrusa=40cloudflare.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
To: Tony Finch <dot@dotat.at>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/C1sVIQ0yU9FBWRYC0U9czaX1fgo>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 00:48:00 -0000


> On Aug 20, 2018, at 12:42 PM, Tony Finch <dot@dotat.at> wrote:
> 
> Marek Vavruša <mvavrusa=40cloudflare.com@dmarc.ietf.org> wrote:
>> 
>> https://github.com/vavrusa/draft-dhcp-dprive/blob/master/draft-dhcp-dprive.txt
> 
> This is interesting to me because I want to support DoTH on my campus
> resolvers.
> 
> Regarding DoH, the DHCP option ought to include a URI template (there
> isn't a .well-known for DoH). I plan to set up my servers so that
> misdirected attempts to get web pages from the DoH server are redirected
> to the relevant documentation; that's much easier if the DoH endpoint
> isn't at the server root.

Our variant of this same idea that Willem Toorop and I presented at the DRIU BOF in Montréal has a URI for the DoH case:

https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00 <https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00>

But let me remind everyone that there was a lot of people agreeing with Ted in Montréal and so far, Ted appears to be standing all by himself.

Where are all the other folks that shot down this idea earlier? :)

Thanks,
Tom