Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Tom Pusateri <pusateri@bangj.com> Tue, 21 August 2018 16:51 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 482A4130DBE for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 09:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qmRGhtDJlMit for <dnsop@ietfa.amsl.com>; Tue, 21 Aug 2018 09:51:35 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4361D130E59 for <dnsop@ietf.org>; Tue, 21 Aug 2018 09:51:35 -0700 (PDT)
Received: from [172.16.10.126] (unknown [107.13.224.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 32DB22337; Tue, 21 Aug 2018 12:47:32 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <alpine.DEB.2.20.1808211229280.3596@grey.csi.cam.ac.uk>
Date: Tue, 21 Aug 2018 12:51:33 -0400
Cc: Ted Lemon <mellon@fugue.com>, Paul Ebersman <list-dnsop@dragon.net>, Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D6FBACAD-2041-456A-840A-6B667E3D9D9F@bangj.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <20180821014030.C2678AD6354@fafnir.remote.dragon.net> <922DCF48-BA8A-42B8-99BA-2B367D981568@bangj.com> <5B7B7718.7090301@redbarn.org> <EEEB9610-FB85-475D-ACF4-8F07E9884D8D@bangj.com> <CAPt1N1k=xnSiF_DQXz6OS=MdRe5YHbL0CgXHAUdgWgH4vdBDMA@mail.gmail.com> <DA13BC82-2308-4B28-B86B-A52D678A1BFD@bangj.com> <252FC541-311D-4892-9F0D-B0D7BB2EEC2A@bangj.com> <alpine.DEB.2.20.1808211229280.3596@grey.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IG9695eM2MS9EVXFG_UNWPuZW7U>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 16:51:37 -0000


> On Aug 21, 2018, at 7:33 AM, Tony Finch <dot@dotat.at> wrote:
> 
> Tom Pusateri <pusateri@bangj.com> wrote:
> 
>> Come to think of it, DNSSEC validation in the stub resolver or browser
>> is really a place DoH could shine. Instead of all the round trips
>> required for validating up (down) the chain,
> 
> With DNS to a recursive server (UDP, TCP, or TLS) as currently deployed,
> you only need 1 round trip in simple cases or 2 round trips if there's a
> CNAME or SRV (etc.) because you know ahead of time all the queries you
> need to make to get the validation chain and they can trivially be
> pipelined.
> 
> Tony.

Yes, and with CHAIN Query Requests in DNS it’s even better. But this still can’t beat the fore knowledge the web/DoH server has about the page you’re viewing. The web/DoH server can HTTP/2 Push all of validation records for links you MAY click on in the future while you’re reading the page, taking into account the scroll position of your page. The validation can then be done in the browser before you click on the link and once you do, the browser knows the address and has validated it.

Tom