Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information

"John Levine" <johnl@taugh.com> Wed, 15 May 2019 17:47 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A377B120400 for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=rtamOdSQ; dkim=pass (1536-bit key) header.d=taugh.com header.b=jYx0+SpK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c36hFqaS4xE1 for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:47:16 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0894120402 for <dnsop@ietf.org>; Wed, 15 May 2019 10:47:14 -0700 (PDT)
Received: (qmail 33937 invoked from network); 15 May 2019 17:47:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=848e.5cdc50a1.k1905; i=johnl-iecc.com@submit.iecc.com; bh=8MKzg+I9ugnpB1U0lcZc6EX7C0G5plY0VBKGeP5r9J4=; b=rtamOdSQf0tbUDpa2kGeCJWMxpPqJ2dmuTe08wt4tCZtahvwpO8zWhWCc17ARRY/bdQp6s3hP0w4o7CpT6EpYlAVtu30Xg5uiCCEkth26r/J9s+uy4Ismts+Kz3pdQxOxLp+RaorHU3SBm8wW/gfUC8HhG+zD/V2KtQlBX+vJInOV/yXMUf2ouUCK8t6ItQeLXEqkU9EviP5Oe/ff9Va2OGjMyardWGzoHxU7jKl3kz8+rIPvIS+Lq/O5oj7BUzs
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=848e.5cdc50a1.k1905; olt=johnl-iecc.com@submit.iecc.com; bh=8MKzg+I9ugnpB1U0lcZc6EX7C0G5plY0VBKGeP5r9J4=; b=jYx0+SpKuTyNcO8tKk1zuHLFZZq+qi52/kLp5hApw7GrLVBC99P+snl9H7bg1OsFP2OOO9FlE+QWgs5iK8MAEj25jw6Ju6DAK6LYr/P8hLavzLnw+ApfQ4AXGPGyXfhHoiHkDIf7qO9J/uZO9d9bO/vrhLdAA0yVi7/3SXW4g18YwcOiIQB6SV+5VGSFyOB6IaaRmF2DJm6Qv/lTkNVdApxSR6Kk3uCvoQrvej8XiALeToSgoSEUrO9YUPpKXWz0
Received: from ary.qy ([64.246.232.221]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 15 May 2019 17:47:13 -0000
Received: by ary.qy (Postfix, from userid 501) id D405A20141B361; Wed, 15 May 2019 13:47:12 -0400 (EDT)
Date: Wed, 15 May 2019 13:47:12 -0400
Message-Id: <20190515174712.D405A20141B361@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@nohats.ca
In-Reply-To: <alpine.LRH.2.21.1905151256480.22294@bofh.nohats.ca>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/egkE9ldX5JR7b5govZJp7kzTLE0>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 17:47:18 -0000

In article <alpine.LRH.2.21.1905151256480.22294@bofh.nohats.ca> you write:
> 	3.  Retrieving Resolver Information by Well-Known URI
>
>You offer a non-DNS method that can deliver (channel) authenticated
>answers, but you don't allow DNSSEC (data origin) authenticated answers?

It's information about the resolver.  What's the data origin for info
about the resolver at some random IP address?

If there's some way to get a validated SSL cert for an IP address you
can at least have some confidence that the URI served from the IP
is under the same control as the resolver on that IP.