Re: [DNSOP] [Ext] draft-sah-resolver-information-01 and draft-sah-resinfo-doh-00
"John R Levine" <johnl@taugh.com> Fri, 24 May 2019 01:12 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A13F1201D0 for <dnsop@ietfa.amsl.com>; Thu, 23 May 2019 18:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Vl01LjIv; dkim=pass (1536-bit key) header.d=taugh.com header.b=aSjw90Qb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1e2EhQ0P1Tk for <dnsop@ietfa.amsl.com>; Thu, 23 May 2019 18:12:51 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9EC2120157 for <dnsop@ietf.org>; Thu, 23 May 2019 18:12:51 -0700 (PDT)
Received: (qmail 35055 invoked from network); 24 May 2019 01:12:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=88ed.5ce74511.k1905; i=johnl-iecc.com@submit.iecc.com; bh=+eVEiWg+c3pxD7LMV7B6t4D+gjSbwdzyqnUSd5all48=; b=Vl01LjIvJkQnHiL6afmQGkmzKizr/4486Aidt8yxHbqdXQE9o0AcnB/m7564pf590eS7DNOP7F4qaoL2eASf3vikrg2wrkQFoif6600r7uv2Z2D9pSnAby3XkurRduQuH1lEfPcvvTqr41oFNIKDG19WpSRus5yjuROrrSo5kN+yJhF+a5J4e4z4YQKMinv76PUaZ/XkM7BIe+S4Xj4KX4ZbhCa3yeyLpisWGwgzTboWYIZYdFAL1T29Jdd9hDjh
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=88ed.5ce74511.k1905; olt=johnl-iecc.com@submit.iecc.com; bh=+eVEiWg+c3pxD7LMV7B6t4D+gjSbwdzyqnUSd5all48=; b=aSjw90QbWvusYS3TnRAt68VyzUBoIF4hI9ApAKt7pt6fzHtgSCKD+d0x5zpZ6oFUajZpF69UKsEfh0xUzTWKMOOYiwKcx/khBNFIV94McnBJafK5FUuO/Y+iOj8VU7//up1dWG3gq7FUiCabPiEHKFD5jLjpJVSIfZrD8iLgJVzVISOatZ+/QVKzGfItylI6Hy228z996EKZA/G1YsHAasOj1yM659t5jYuZsjBbcyssK8UYRxI6KHDCXzwEh5vn
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 24 May 2019 01:12:49 -0000
Date: Thu, 23 May 2019 21:12:49 -0400
Message-ID: <alpine.OSX.2.21.9999.1905232111530.48728@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <126BA26C-A0AF-438B-8D72-8D0CDFA56FB6@icann.org>
References: <20190523022101.27EE520146D68D@ary.qy> <126BA26C-A0AF-438B-8D72-8D0CDFA56FB6@icann.org>
User-Agent: Alpine 2.21.9999 (OSX 337 2019-05-05)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UJBSAKgyN553YZem1n3KFZUwZNw>
Subject: Re: [DNSOP] [Ext] draft-sah-resolver-information-01 and draft-sah-resinfo-doh-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 01:12:53 -0000
On Fri, 24 May 2019, Paul Hoffman wrote: >> For the issue of validating the certificate on a DoT or DoH server, how >> about this kludge: the client contacts the server by IP address, the >> server returns a certificate. If it has an IP address and it matches, >> swell, you're done. If it has a domain name, do a DNSSEC validated A >> or AAAA lookup, and if you get an answer with the IP of the server, >> it's OK. If it has multiple domain names, maybe look them all up >> or maybe don't do that. > > That is possible, but outside the scope of this document. That is, the same would be true for *any* HTTPS client that gets a certificate with an IP address in the certificate but not a name that it likes. I was more thinking of it for DoT. There's too much intertia in https to change anything there. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] New draft, seeking comments: draft-sah-re… Paul Hoffman
- Re: [DNSOP] New draft, seeking comments: draft-sa… Paul Wouters
- Re: [DNSOP] New draft, seeking comments: draft-sa… John Levine
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… Paul Hoffman
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… John Levine
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… Paul Wouters
- [DNSOP] draft-sah-resolver-information (revised) Paul Hoffman
- Re: [DNSOP] draft-sah-resolver-information (revis… Erik Nygren
- Re: [DNSOP] draft-sah-resolver-information-01 and… John Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… Ben Schwartz
- Re: [DNSOP] [Ext] draft-sah-resolver-information … Paul Hoffman
- Re: [DNSOP] [Ext] draft-sah-resolver-information-… Paul Hoffman
- Re: [DNSOP] [Ext] draft-sah-resolver-information-… John R Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… John R. Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… John Dickinson
- Re: [DNSOP] [Ext] draft-sah-resolver-information … Paul Hoffman