IETF Logo Mail Archive

Re: [DNSOP] Should we try to work on DNS over HTTP in dnsop?

Paul Wouters <paul@nohats.ca> Thu, 17 December 2015 04:14 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0CF31ACCFF for <dnsop@ietfa.amsl.com>; Wed, 16 Dec 2015 20:14:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnL6lgsjaEtd for <dnsop@ietfa.amsl.com>; Wed, 16 Dec 2015 20:14:44 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10D221A1EED for <dnsop@ietf.org>; Wed, 16 Dec 2015 20:14:44 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3pLg2S6yd0z358 for <dnsop@ietf.org>; Thu, 17 Dec 2015 05:14:40 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=D9UVJxjc
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id UecCx8ZcV9di for <dnsop@ietf.org>; Thu, 17 Dec 2015 05:14:40 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Thu, 17 Dec 2015 05:14:40 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPS id 2078780060 for <dnsop@ietf.org>; Wed, 16 Dec 2015 23:14:39 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1450325679; bh=dDQlbGeeeYhAFg8UjCnVquyAKyDdPzxV+aREJJ2exlA=; h=Date:From:To:Subject:In-Reply-To:References; b=D9UVJxjcUToOUBlmVy5DJ9eU6WLXYVGO61J+A/mSsssiUI4uparx4+V4vD9WrJzNq UkQk2lJOykwqfBjlkn5BS7BXqtaZbe3BPFOpzfQ7Q9i48KYmLx6RF8GOdT9xyIZ1za c1hUqjVyY4p0zQKZjbMihddJVqgvvGUgUZms0Hvs=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id tBH4EckS012343 for <dnsop@ietf.org>; Wed, 16 Dec 2015 23:14:38 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 16 Dec 2015 23:14:38 -0500
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <1880287.khLzgcvgCq@linux-85bq.suse>
Message-ID: <alpine.LFD.2.20.1512162310550.11575@bofh.nohats.ca>
References: <20151217020754.6915b71c@pallas.home.time-travellers.org> <20151217020803.GA28588@mycre.ws> <1880287.khLzgcvgCq@linux-85bq.suse>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/keIn2PwVOUAVOvNQk-32wSq5YCo>
Subject: Re: [DNSOP] Should we try to work on DNS over HTTP in dnsop?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 04:14:46 -0000

On Wed, 16 Dec 2015, Paul Vixie wrote:

> as the author of the first prototype, let me say that the client side proxy's only knowledge of its server
> side proxy is its IP address, whereas SSL needs a host name. i'd be happy to have all that specified by
> people who understand it, alone with client-side certs and server-side SSL ACL's. but i'll still likely use
> raw HTTP in some situations, so that should also be specified, even if explicitly discommended by the final
> published document.

So raw DNS on a port other than 53 is not something that would need a
big new RFC. And we have dprive doing DNS over TLS.

If TLS is just to break through broken or blocked port 53, we don't need
an HTTP(S) RESTful interface. Raw DNS in TLS would work fine. Same for
raw DNS on port non-53.

So what is the use case for the REST interface?

And yes, I'm a little prejudiced in trying to not add port 80/443 as
another encapsulation layer underneath the internet.

Paul

v2.23.0 | Report a Bug | By Email