IETF Logo Mail Archive

Re: [DNSOP] Should we try to work on DNS over HTTP in dnsop?

Shumon Huque <shuque@gmail.com> Thu, 17 December 2015 04:11 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ADF21ACD02 for <dnsop@ietfa.amsl.com>; Wed, 16 Dec 2015 20:11:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvncwDVQZm0r for <dnsop@ietfa.amsl.com>; Wed, 16 Dec 2015 20:11:01 -0800 (PST)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33661ACCFB for <dnsop@ietf.org>; Wed, 16 Dec 2015 20:11:01 -0800 (PST)
Received: by mail-qg0-x22b.google.com with SMTP id i91so45300703qgf.2 for <dnsop@ietf.org>; Wed, 16 Dec 2015 20:11:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0KtPaWGAR3IREBsHzOmaVNpyVkrb1uE6QHUR/SYj6Ig=; b=wXJ16IqbrJCZ7vuJRbO2Eevqs92EsUg5TptN1ZEmqGKljA6+tZYLunbW1s6MTYdUAO WxW/8e6YHndsQFPeQnADh3R9pKemcYJ6hBXsa1vPC6A5Bfy3SsywViZ6HL/HjrX4r1CJ 0dqFaLS7KlrGafHOLcpmLFMZAToGKU0725xHvTJOCZ64AI8KAFwqK1+f3uWGQ+XEo9Nu nR22cW8hi18Au2XFkhw4XnpTWIPVWBms354wdR6p/i5bfSnzJLXPMRU2EIvfdZ7HhnwW V0Q7LQlCW3xKittZDQDEih3wnf/lmdCD94Lcxuo2MHW4bQnpm8PF490smSm8ZJUj5MCF qgeA==
MIME-Version: 1.0
X-Received: by 10.140.104.167 with SMTP id a36mr61426294qgf.19.1450325460844; Wed, 16 Dec 2015 20:11:00 -0800 (PST)
Received: by 10.140.80.179 with HTTP; Wed, 16 Dec 2015 20:11:00 -0800 (PST)
In-Reply-To: <1880287.khLzgcvgCq@linux-85bq.suse>
References: <20151217020754.6915b71c@pallas.home.time-travellers.org> <20151217020803.GA28588@mycre.ws> <1880287.khLzgcvgCq@linux-85bq.suse>
Date: Wed, 16 Dec 2015 23:11:00 -0500
Message-ID: <CAHPuVdX7_3kv=utpk8zhSQmTMi563MNn6M+h37DQjWnArU2tRg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Paul Vixie <vixie@tisf.net>
Content-Type: multipart/alternative; boundary="001a1134ee5ce7095205271035a9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/r9oH8CQL9kM36sCVg9iJDg47-As>
Cc: Shane Kerr <shane@time-travellers.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Robert Edmonds <edmonds@mycre.ws>
Subject: Re: [DNSOP] Should we try to work on DNS over HTTP in dnsop?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 04:11:06 -0000

On Wed, Dec 16, 2015 at 10:50 PM, Paul Vixie <vixie@tisf.net> wrote:

> On Wednesday, December 16, 2015 09:08:03 PM Robert Edmonds wrote:
>
> > Shane Kerr wrote:
>
> > > I have updated the DNS over HTTP review document that I sent some days
>
> > > ago. Thanks to Jinmei for reading it.
>
> > >
>
> > > As I mentioned before, if there is interest then my co-authors and I
>
> > > are happy to try to get the working group to adopt the document. If
>
> > > there is not interest, then we are happy to go forward with an
>
> > > individual submission.
>
> > >
>
> > > If I don't hear any positive support over the next week or two then
>
> > > that is a pretty clear sign that the working group has little
>
> > > interest. :)
>
> >
>
> > Hi, Shane:
>
> >
>
> > Given BCP 188 ("Pervasive Monitoring Is a Widespread Attack on Privacy"
>
> > and "The IETF Will Work to Mitigate Pervasive Monitoring"), I'm a bit
>
> > disappointed that "HTTPS" is spelled "HTTP(S)" in your document :-) If
>
> > you're going to go to the trouble of defining a new transport for DNS,
>
> > what's the rationale for allowing the transport to permit plaintext?
>
>
>
> as the author of the first prototype, let me say that the client side
> proxy's only knowledge of its server side proxy is its IP address, whereas
> SSL needs a host name. i'd be happy to have all that specified by people
> who understand it, alone with client-side certs and server-side SSL ACL's.
> but i'll still likely use raw HTTP in some situations, so that should also
> be specified, even if explicitly discommended by the final published
> document.
>
>
>

Paul,

SSL (Actually "TLS", since no-one should use SSL any more) doesn't *need* a
hostname. TLS supports many identity forms that aren't hostnames. It's
perfectly possible to establish a TLS session with the client knowing only
the IP address of the server, and with some preconfigured knowledge of the
server, the client can even establish an' authenticated' TLS session.
However, there may be reasons to use hostnames (e.g. to allow more
recognizable associations of the DNS server's identity for users). Many
such details are being written up by some folks involved in the DNS over
(D)TLS efforts in a companion document. You could consider reusing that
work.

Shumon.

v2.23.0 | Report a Bug | By Email