Re: [DNSOP] extension of DoH to authoritative servers

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Thu, 14 February 2019 11:51 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B65A131163 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 03:51:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Level:
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wcaj7qnDsWyd for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 03:51:45 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B57AB130EB3 for <dnsop@ietf.org>; Thu, 14 Feb 2019 03:51:44 -0800 (PST)
Received: from [IPv6:2001:1488:fffe:6:be86:60ac:e1e0:9099] (unknown [IPv6:2001:1488:fffe:6:be86:60ac:e1e0:9099]) by mail.nic.cz (Postfix) with ESMTPSA id 24AA160611; Thu, 14 Feb 2019 12:51:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1550145101; bh=51KYZs9TCf2x2mwuQsU2E+yDXtc9s/PT4J6+eT7hiZ4=; h=From:To:Date; b=On0vDSUZSk6LpmuOuMvDCIch6bf14WdKnQ+ea/B4ItPkVg0LLg/2yEKJFt9/kRg3S WLKR/kF3tyw0hcsBLmex5V8LWkwqZt7gYloq/1x99JAY/fQf9xPVzdlpQCJHi0/75H SPJ+nV63nr237onif/StgMBr0tZtOEBmbkAXbJkM=
References: <C5525DE2-DCF3-43E5-8C41-BAA58049DC3A@verisign.com> <edc1d393-ad19-2f8e-5f58-367d9b7e3290@nic.cz> <20190214080508.zab7r6hzkbj7kp54@nic.fr>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Shane Kerr <shane@time-travellers.org>
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3LkCDQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA==
To: "dnsop@ietf.org" <dnsop@ietf.org>
Message-ID: <b3341f0f-cd06-8b08-5b5f-f887289a5f23@nic.cz>
Date: Thu, 14 Feb 2019 12:51:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3
MIME-Version: 1.0
In-Reply-To: <20190214080508.zab7r6hzkbj7kp54@nic.fr>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/q1TaJ2kZmdwdqn4B5VWtS_KNm80>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 11:51:46 -0000

On 2/14/19 9:05 AM, Stephane Bortzmeyer wrote:
>> Technically you can run DoT on whatever port you like.
>>
>> Example: with knot-resolver it's easy - you just add @443, either on
>> side of server and/or on the side of forwarding over TLS.
> The problem is that you cannot then share this port with HTTPS
> services (the dkg draft on demultiplexing was abandoned, apparently
> because it doesn't work). In a world of scarce IPv4 public addresses,
> this is a serious problem.

You can still multiplex based on SNI sent by the client.  HTTPS clients
surely send it commonly.  DoT clients perhaps not so often, but that's
just an implementation detail (which I was fixing in the past few weeks
in knot-resolver, incidentally).

I'm not sure how easy SNI-based multiplexing is to configure with
nowadays software, but I believe I've heard of some such setup with
nginx.  And I don't have any idea whether SNI encryption would interfere
with that, but I hope not.  ESNI will be a key part of DNS privacy,
though mainly for the non-DNS traffic.