Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Tom Pusateri <> Tue, 21 August 2018 01:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA945130E48 for <>; Mon, 20 Aug 2018 18:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id woJ5nQi-BntV for <>; Mon, 20 Aug 2018 18:22:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB6ED124D68 for <>; Mon, 20 Aug 2018 18:22:44 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 69EF52085; Mon, 20 Aug 2018 21:18:44 -0400 (EDT)
From: Tom Pusateri <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_863767BA-34E6-478E-92C8-637029E86FED"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 20 Aug 2018 21:22:42 -0400
In-Reply-To: <>
Cc: dnsop <>
To: Paul Hoffman <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 01:22:47 -0000

> On Aug 20, 2018, at 9:11 PM, Paul Hoffman <> wrote:
> On 20 Aug 2018, at 17:47, Tom Pusateri wrote:
>>> On Aug 20, 2018, at 12:42 PM, Tony Finch <> wrote:
>>> Marek Vavruša <> wrote:
>>> This is interesting to me because I want to support DoTH on my campus
>>> resolvers.
>>> Regarding DoH, the DHCP option ought to include a URI template (there
>>> isn't a .well-known for DoH). I plan to set up my servers so that
>>> misdirected attempts to get web pages from the DoH server are redirected
>>> to the relevant documentation; that's much easier if the DoH endpoint
>>> isn't at the server root.
>> Our variant of this same idea that Willem Toorop and I presented at the DRIU BOF in Montréal has a URI for the DoH case:
>> <>< <>>
>> But let me remind everyone that there was a lot of people agreeing with Ted in Montréal and so far, Ted appears to be standing all by himself.
>> Where are all the other folks that shot down this idea earlier? :)
> Judging what was said at an excited mic line is always challenging. :-) Two issues are being conflated here:
> 1) a DHCP option to include a URI template
> 2) how the DHCP client in an OS would use that option
> DHCP options are easy and cheap. However #2 was vexing. The proposal that an OS say "oh look, there is a DoH server, I'll use that because it is more secure than Do53" was what was controversial because of the utter lack of DHCP security. Some of the folks on the mic line disagreed with the assumption that, given two pieces of insecurely-acquired information (a Do53 address and a DoH template) that the latter would result with a more secure connection. A network admin can see the port 53 traffic and see if there's crap in there; they can't see the inner DoH traffic.
> --Paul Hoffman

Yes, this was one good point.

Another point I remember most clearly is that DHCP has fallen out of favor for communicating all but the most minimal network bootstrap configuration information. There was general agreement in the room that you only should use DHCP in IPv4 for address/router info and then use trusted sources for everything else. In IPv6, SLAAC generally provides this.

One more point (from the Android crowd) was that they are going to try to connect to the DNS server’s IP address using port 853 using DoT at the same time they are trying to resolve names over port 53 with UDP. If they’re able to make a DoT connection, they’ll use it. This doesn’t provide for a way to have an ADN to verify the certificate but a PTR query can give you a name to do certificate validation and/or DANE validation. So they seemed to be making the point that no DHCP extensions were necessary.