Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Paul Vixie <paul@redbarn.org> Sat, 23 March 2019 20:37 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC841130E9A for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 13:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vYrzmO5Vxps for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 13:37:44 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDF8F130E8F for <dnsop@ietf.org>; Sat, 23 Mar 2019 13:37:44 -0700 (PDT)
Received: from [192.168.1.19] (unknown [88.103.122.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 9C263892C6; Sat, 23 Mar 2019 20:37:43 +0000 (UTC)
To: Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>
Cc: dnsop@ietf.org
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> <ybl5zsaxmmr.fsf@wu.hardakers.net>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <ffc14e6e-5462-bdb2-0c80-336e5d311818@redbarn.org>
Date: Sat, 23 Mar 2019 13:37:40 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.12
MIME-Version: 1.0
In-Reply-To: <ybl5zsaxmmr.fsf@wu.hardakers.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PhMMmX57_dMayRQEsCTFm0V3gGE>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 20:37:46 -0000


Wes Hardaker wrote on 2019-03-22 21:03:
> Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org> writes:
> 
>>    * We are considering a first milestone where Chrome would do an automatic
>>      upgrade to DoH when a user’s existing resolver is capable of it.
> 
> Sorry for the delayed question, but with respect to this bullet:
> 
> 1) ...
> 
> 2) ...

while i feel and echo wes's two questions, mine is different.

if all you have is an ip address (say, from dhcp or resolv.conf), how 
would you decide whether the https endpoint you found at that address, 
was using an x.509 key you had any reason to trust? https wants names.

i've run into this before. http://dot.tt.ed.quad/ is an easy grab, but i 
don't know how to negotiate for https://dot.tt.ed.quad/. if this is a 
solved problem, then i apologize to all present, for not doing my 
homework before opening up in public.

-- 
P Vixie