Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Meeting in Montreal
Joe Abley <jabley@hopcount.ca> Tue, 10 July 2018 16:47 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 247211310F1 for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYvsyHltgg7Z for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:38 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC94313105F for <dnsop@ietf.org>; Tue, 10 Jul 2018 09:47:37 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id m12-v6so18869029lfc.10 for <dnsop@ietf.org>; Tue, 10 Jul 2018 09:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=6J6A+vP8PvPMWUyi3RHqDp0tRbsGRA+uorGsYvr/7TQ=; b=Frs75OXH1NAlA6UwE4eOCBrXm2WCxt7LVaPzbyscQVJUZH6aZGlXxODzbsB3wfUvJv GOsoKL1Kr5O62HtTa7BUaoWj2nQzB6RJqSLE0lfwbz0a6go9RJK40WinWOnDltnvzn+g LrORxDlHM4IxDBguur9691e3d+MKRIemskU9c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=6J6A+vP8PvPMWUyi3RHqDp0tRbsGRA+uorGsYvr/7TQ=; b=Q0r/GJml2c/RtMRhBeB2YTmzAeMZjFa6fkR/QJyWgo8L6iDG75+hRUP6wzDEzC6J1Z 0lEMTfyuyXPP+S+3M3NzUq5U46E+nVqhfoI7rN6AnuNpmo9qfGPbssGSx2xHkZeEPVQn XSE6apKsbeN3AxWDZrzWOnz+LU5rJg1fgGRoiFUFXP5102BsDcmqZBBzIkesXnNmyIRK Vyf4ZWFonrKqoENUgpJc46iYLjtOnsbH8a/0MHWT368L7cheXtLdINkue5HdpmWZe85K xU7u43rO07YBdofDpD1HVEF6W6Z/c3i/dQ5LWYY7r2wOPeW7k4OpU+52Q4QjV/pF2H/J uADw==
X-Gm-Message-State: APt69E2AAZEPKGOcv4wjubATyJUAAo9WaAeA4esUJt/ouM/dV3XN91ve RuXUZV0BTZwfFjCRba4iqYxI2INP6cYXxmuqxQyfYA==
X-Google-Smtp-Source: AAOMgpeX/jNQLA9S56MDTer5E/vlgm/Fubh4P0D2suiKOXjLvP/i4zyXAQwL5gEqzwq0qERS17kAVb4BcZe/kI1Xpe4=
X-Received: by 2002:a19:1f4b:: with SMTP id f72-v6mr3314407lff.42.1531241256022; Tue, 10 Jul 2018 09:47:36 -0700 (PDT)
Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Tue, 10 Jul 2018 09:47:35 -0700
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
References: <m1fcoe5-0000GuC@stereo.hq.phicoh.net> <alpine.LRH.2.21.1807101056140.5219@bofh.nohats.ca> <4a845808-5348-d6e4-dda2-59aaf0e85c14@nostrum.com> <3DF5A66C-CCBF-4116-A1FC-35CF8E05808B@hopcount.ca> <e1675184-f0bc-670d-3db1-b99a9daf1657@nostrum.com> <CAJhMdTOZtOpF_aK-ZzP0DfkDMcAtTKFLdSpKkrSPvP1cOgnOjQ@mail.gmail.com> <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
In-Reply-To: <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com>
Date: Tue, 10 Jul 2018 09:47:35 -0700
Message-ID: <CAJhMdTN41Ko7MDkHihfVuSdOCKitKsv-n2Asyr-Kg8UASXYdvw@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Adam Roach <adam@nostrum.com>, DoH WG <doh@ietf.org>, driu@ietf.org, dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Patrick McManus <pmcmanus@mozilla.com>, Philip Homburg <pch-dnsop-3@u-1.phicoh.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000021bd490570a7e349"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IlKaVEQ-tGEXenET6I8JFD3-juM>
Subject: Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Meeting in Montreal
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 16:47:44 -0000
On Jul 10, 2018, at 17:41, Ted Lemon <mellon@fugue.com> wrote: On Tue, Jul 10, 2018 at 12:34 PM, Joe Abley <jabley@hopcount.ca> wrote: > > But this is really equivalent in just about every important way to > sending the normal <img src="https://example.com/img/f.jpg"> along with a > pushed DNS record that indicates that "example.com" resolves to > "192.0.2.1" -- and this latter thing is (to my understanding, at least) in > scope of the conversation that Patrick is proposing to have. > > My question is why you would involve the DNS at all if all the > performance-based resolution decisions can be made without it. You're > just adding cost and complexity without benefit The ip= modifier would be a great way to arrange for something to look like it came from a different source than its actual source. I'm sure there's an attack surface in there somewhere. I'm haven't thought hard enough to say what vulnerability that would enable that wasn't already there using unsigned zones (because enterprise DNS tricks or some other reason) but you're probably right. Joe
![src="https://example.com/img/f.jpg">](http://src="https://example.com/img/f.jpg%22%3E){kind=link}
- Re: [DNSOP] Resolverless DNS Side Meeting in Mont… Philip Homburg
- Re: [DNSOP] Resolverless DNS Side Meeting in Mont… Paul Vixie
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… manu tman
- Re: [DNSOP] Resolverless DNS Side Meeting in Mont… Patrick McManus
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Tim Wicinski
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Patrick McManus
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Joe Abley
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Paul Wouters
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Adam Roach
- Re: [DNSOP] Resolverless DNS Side Meeting in Mont… Paul Wouters
- Re: [DNSOP] [Driu] Resolverless DNS Side Meeting … Patrick McManus
- Re: [DNSOP] [Driu] Resolverless DNS Side Meeting … Ted Lemon
- [DNSOP] Resolverless DNS Side Meeting in Montreal Patrick McManus
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Dave Lawrence
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Adam Roach
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Joe Abley
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Adam Roach
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Patrick McManus
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Tony Finch
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Philip Homburg
- Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Me… Adam Roach
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Dave Lawrence
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Joe Abley
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Adam Roach
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Paul Wouters
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Dave Lawrence
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Mike Bishop
- Re: [DNSOP] [Doh] Resolverless DNS Side Meeting i… Daniel Kahn Gillmor
- Re: [DNSOP] [Driu] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- [DNSOP] SRV and HTTP Mark Nottingham
- Re: [DNSOP] SRV and HTTP Ólafur Guðmundsson
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP Mark Nottingham
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP Dave Lawrence
- Re: [DNSOP] SRV and HTTP Dave Lawrence
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP - 18:30 Tuesday Mark Nottingham
- Re: [DNSOP] SRV and HTTP John Levine
- Re: [DNSOP] SRV and HTTP Evan Hunt
- Re: [DNSOP] SRV and HTTP John R Levine
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP Patrik Fältström
- Re: [DNSOP] SRV and HTTP Patrik Fältström
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Me… Petr Špaček
- Re: [DNSOP] [Ext] Re: [Doh] [Driu] Resolverless D… Edward Lewis
- Re: [DNSOP] SRV and HTTP Leif Hedstrom
- Re: [DNSOP] SRV and HTTP Patrik Fältström
- Re: [DNSOP] [Doh] [Driu] Resolverless DNS Side Me… Mike Bishop
- Re: [DNSOP] SRV and HTTP Nico Williams
- Re: [DNSOP] [Doh] SRV and HTTP Joseph Lorenzo Hall
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP Nico Williams
- Re: [DNSOP] SRV and HTTP Mark Andrews
- Re: [DNSOP] SRV and HTTP - 18:30 Tuesday (room ch… Mark Nottingham
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Shane Kerr
- Re: [DNSOP] [Driu] [Doh] SRV and HTTP - 18:30 Tue… Jim Reid
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Tim Wicinski
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Ray Bellis
- Re: [DNSOP] [Driu] [Doh] SRV and HTTP - 18:30 Tue… Tony Finch
- Re: [DNSOP] Resolverless DNS Side Meeting in Mont… Patrick McManus
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Sebastiaan Deckers
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Adam Roach
- Re: [DNSOP] [Doh] SRV and HTTP - 18:30 Tuesday (r… Adam Roach