Re: [DNSOP] Should we try to work on DNS over HTTP in dnsop?

[Shane Kerr <shane@time-travellers.org>]

Robert,

At 2015-12-16 21:08:03 -0500
Robert Edmonds <edmonds@mycre.ws> wrote:

> Shane Kerr wrote:
> > I have updated the DNS over HTTP review document that I sent some days
> > ago. Thanks to Jinmei for reading it.
> > 
> > As I mentioned before, if there is interest then my co-authors and I
> > are happy to try to get the working group to adopt the document. If
> > there is not interest, then we are happy to go forward with an
> > individual submission.
> > 
> > If I don't hear any positive support over the next week or two then
> > that is a pretty clear sign that the working group has little
> > interest. :)  
> 
> Hi, Shane:
> 
> Given BCP 188 ("Pervasive Monitoring Is a Widespread Attack on Privacy"
> and "The IETF Will Work to Mitigate Pervasive Monitoring"), I'm a bit
> disappointed that "HTTPS" is spelled "HTTP(S)" in your document :-) If
> you're going to go to the trouble of defining a new transport for DNS,
> what's the rationale for allowing the transport to permit plaintext?

I'm happy to add strong language documenting the pitfalls of insecure
channels to the DNS over HTTP survey draft.

Just to be clear, this document is a descriptive document, intended to
be informational. It does not describe the details of any protocols,
and steers clear of BCP 14/RFC 2119 words that indicate requirements.

We (BII and Paul Vixie) are going to submit a separate draft with a
protocol specification covering the HTTP-over-DNS protocol that Paul
developed and we implemented an inter-operating proxy for. That SHALL
include requirements and SHALL use RFC 2119 language. There we SHOULD
consider TLS-secured sessions only. ;)

Cheers,

--
Shane