IETF Logo Mail Archive

Re: [DNSOP] Request for adoption: draft-sah-resolver-information

tirumal reddy <kondtir@gmail.com> Tue, 09 July 2019 10:47 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1284012012B for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 03:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fg5KIVPTYsb for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 03:46:58 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106DD12041D for <dnsop@ietf.org>; Tue, 9 Jul 2019 03:46:57 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id j5so22747001ioj.8 for <dnsop@ietf.org>; Tue, 09 Jul 2019 03:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+6LSEABKM8xw7sXaNtwahOO6XVm7PGW1FHLpDWH7MGs=; b=FzpKEAl0m6k7OXrwdhScqn3825N6P0APzAMtxVGqaaCsSnMRWNvv598kZcxfxJABkU zgfM/G37W4t0GldF5MAwkAB80CQN1nd3oz7kQrJ/WaTShevgriQQZGCBTNCZOipusxE1 F05PgNwrXe6XKxy/V4DRGS2ARdN4RKvBegqGTIIeJMZk0KQ5nJpQUjD3AUbDAbGTFpxX GBm3gu4j3YaRVyALjxdEFZJmYVqCk0jZXapyDnuBHPYg0/e4d6jeBXKkLQz6P10MNv+8 iNvuQFwcDdl6vbVWijOCW/ZCVWpRGIcfPQxZNRpEvEI4WYMz0I5MJUAowzv3y/dkr8sQ La7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+6LSEABKM8xw7sXaNtwahOO6XVm7PGW1FHLpDWH7MGs=; b=gfzGNA5AApPKyoc4AiJcWH5f7bA4TT1mqpARNIcRKquvFJYy44WCpDcg6S0Zfl8BcP 8qltLwrNQY7lT4edoV7ThJUkVuAoYk9qSO9x66XoRV9PoBhsmPFS28t4JZOljBzGaOwS bg6FuLFGlIgWYLBYPdGd6GX3f2cv9hWlhQjW3pmVjPQgP9jq//b8wwqfPPfTpC8aS6mY I104rSRzsV66cDp2u7QqfQfYKFQ73YHW3fau9LF70/uolwjj+uI8QkVQOH3ZOB8cTZHz VYu8MrBwLGDkcMlqSKuhBa1XMDTOV4btsU3h/R7lV02CYPbmPZ3kEOUVA2Z3RR2hvJEL /IJw==
X-Gm-Message-State: APjAAAXl1lEIbv+tr4eQyhM4tu90YbSHCQxiezZofQKT0x67TLLLjXDf ZRKLiyFVV+RRuRol77yUSs2Z43GhJO7O1nnhe8Q=
X-Google-Smtp-Source: APXvYqyN5VBt7VNGWIW7DLB2DxC444PfdSxnD5auXMRKYOv3H4u4RaM96hnEgQOtcHTROV79CmA/Qd6lxYUEuj/2ToM=
X-Received: by 2002:a5e:c705:: with SMTP id f5mr10881227iop.113.1562669217111; Tue, 09 Jul 2019 03:46:57 -0700 (PDT)
MIME-Version: 1.0
References: <F00B09EC-24D8-40C1-8A6C-86C2FD63A062@icann.org>
In-Reply-To: <F00B09EC-24D8-40C1-8A6C-86C2FD63A062@icann.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 09 Jul 2019 16:16:44 +0530
Message-ID: <CAFpG3gcLF-tYJtiiV8kDKHa-rdSb=DQqLYuV-n+XX-PG5qEWmw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000966365058d3d47b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LNDPIab9E0zj8wKWYueZS8IPKbo>
Subject: Re: [DNSOP] Request for adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 10:47:00 -0000

Hi Paul,

My comments below:

1) Unless a DNS request for <reverse-ip>.{in-addr,ip6}.arpa/IN/RESINFO,
   or a subdomain, as described in Section 2 is sent over DNS-over-TLS
   (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], or unless the
   <reverse-ip>.{in-addr,ip6}.arpa zone is signed with DNSSEC, the
   response is susceptible to forgery.

Comment> If the stub resolver is already using DoH with the recursive
resolver, why does it have to determine the URI template of the DoH server?

2) DHCP clients typically have no secure and trusted relationships to DHCP
servers, how will the client know it is communicating with the recursive
resolver hosted in the attached network ?

3)
   In the future, DHCP and/or DCHPv6 and/or RA may have options that
   allow the configuration to contain the domain name of a resolver.  If
   so, this can be used for matching the domain name in the TLS
   certificate.

Comment> Same comment as above, Please see
https://tools.ietf.org/html/rfc8310#section-7.3.1

4) Any specific reason for picking I-JSON ?

5) The resolver information can also be provided in the server certificate
itself, for example see
https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-04#section-10.1.
The
pros and cons of both approaches need to be discussed in the WG.

Cheers,
-Tiru

On Fri, 28 Jun 2019 at 00:14, Paul Hoffman <paul.hoffman@icann.org> wrote:

> Greetings. We have again updated draft-sah-resolver-information based on
> comments from this mailing list. We think that this is ready for adoption
> by the WG so that the initial use of the protocol (to be able to determine
> the URI template of the DoH server preferred by your current resolver) can
> move forward as well.
>
> --Paul Hoffman
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
>
>         Title           : DNS Resolver Information Self-publication
>         Authors         : Puneet Sood
>                           Roy Arends
>                           Paul Hoffman
>         Filename        : draft-sah-resolver-information-02.txt
>         Pages           : 9
>         Date            : 2019-06-27
>
> Abstract:
>    This document describes methods for DNS resolvers to self-publish
>    information about themselves, such as whether they perform DNSSEC
>    validation or are available over transports other than what is
>    defined in RFC 1035.  The information is returned as a JSON object.
>    The names in this object are defined in an IANA registry that allows
>    for light-weight registration.  Applications and operating systems
>    can use the methods defined here to get the information from
>    resolvers in order to make choices about how to send future queries
>    to those resolvers.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-sah-resolver-information/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-sah-resolver-information-02
> https://datatracker.ietf.org/doc/html/draft-sah-resolver-information-02
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-sah-resolver-information-02
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email