Re: [DNSOP] New draft for helping browsers use the DoH server associated with a resolver

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Fri, 24 August 2018 13:43 UTC

Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D291124BE5 for <dnsop@ietfa.amsl.com>; Fri, 24 Aug 2018 06:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Level:
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v-7yGqn47xVA for <dnsop@ietfa.amsl.com>; Fri, 24 Aug 2018 06:43:53 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276B4126BED for <dnsop@ietf.org>; Fri, 24 Aug 2018 06:43:52 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:85a:7fff:fe3b:249d] (unknown [IPv6:2001:1488:fffe:6:85a:7fff:fe3b:249d]) by mail.nic.cz (Postfix) with ESMTPSA id 2E02262782; Fri, 24 Aug 2018 15:43:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1535118231; bh=g86aHOFn45IbdkdursnbLsL1qD11POFPmrnW7EWr3ME=; h=To:From:Date; b=fu08GGEK5G/MqDFrmwEAU/vvb31ft+VaBRAlApGgwxk0/ifZkQAEA0nC79D0ZQMQo jSr1ZIBTktleVYaxiaRIpr0w0FmJjHg2IjuBIaNlgyhG5uGWF1kwik9Lzv8Ei/I2pI e6SQFHODT4yUw8Je5Plen6oYVPG6xGs9CM54eTKc=
To: dnsop@ietf.org, Paul Hoffman <paul.hoffman@icann.org>
References: <3D4A9165-6EE8-4997-A9F7-DB19632C25F3@icann.org>
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABzTBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej7CwZcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3M7BTQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAcLBZQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA==
Message-ID: <5220d889-e587-d6dc-db45-0d76370eabae@nic.cz>
Date: Fri, 24 Aug 2018 15:43:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <3D4A9165-6EE8-4997-A9F7-DB19632C25F3@icann.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EBmylksofX9JO67b9gc64njVbwk>
Subject: Re: [DNSOP] New draft for helping browsers use the DoH server associated with a resolver
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 13:43:56 -0000

On 08/24/2018 02:01 AM, Paul Hoffman wrote:
> Thoughts?

Well, if the OS resolver is validating, it will SERVFAIL with such a
query.  Furthermore, if it uses aggressive caching, it may even give a
negative reply without asking upstream that would answer positively. 
That is, unless the RFC instructs forwarding resolvers to do otherwise,
but that would seem a nasty special case for little benefit.

I assume the non-validation is a conscious tradeoff, as such resolvers
seem not a common OS default, and they're more likely to support DoT or
DoH anyway, hopefully reducing the need for browsers to roll their own.

I'm not sure I understand the motivation for the stated use case, but
apparently others perceive it as useful...

--Vladimir