Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Marek Vavruša <mvavrusa@cloudflare.com> Sun, 19 August 2018 00:38 UTC

Return-Path: <mvavrusa@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72556130E74 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 17:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nneDSZAtxkv5 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 17:38:29 -0700 (PDT)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90F44130E02 for <dnsop@ietf.org>; Sat, 18 Aug 2018 17:38:29 -0700 (PDT)
Received: by mail-yb0-x235.google.com with SMTP id y130-v6so3352438yby.9 for <dnsop@ietf.org>; Sat, 18 Aug 2018 17:38:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3Iw0KGSYZVd9IdHAUeJDmw9Y6ovaxbEwNO/87qRejhs=; b=c2UloN4PbrJ3sRVD3uMIZUkpGKvbvM0iiYDzME7Slvv2yH/0CAuAJqvb6V1OCPtb96 CVfHUfI+cqBdHtHM6AcsqanB5hxNOCs+jeF8B5Edizo0qyrVsqsW9zH6u8G3IZIEONj+ 0n+5+c89ZLvVTmZIGJT5rFJwo0lLSyHfrgUXE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3Iw0KGSYZVd9IdHAUeJDmw9Y6ovaxbEwNO/87qRejhs=; b=h6sh8hmCvMlfMwlnaT5xKnZE4kEkOXSmi3nlJFJY5Q1v4IIXZTb5WNbzdguaGeqiZl 4VFMpWgcAq/eYL1jWcw41679kCXDh4hkXrKlxpai1Z83usmfnjJBavJReFrVFkH5jpP0 5K1Dfm5AdbzvM3MBPVbw9Yrt156AgN+hYT5faWyo9l+zGl69wfJyrmmwzZMwwxg6xrVA LJafTGqvZ59TeOrnhkoyOg+xJOJXJcisieZb+fSW/5Hhtio7rIdfwahioHrCVVyN/cDR 8gTVrL2UZbff7+v0BOlZRzywoAz3ZV3qoAtZy5Mu2SGaQrlBOJtrtIJ+dX6Ltv3w3MLn 1x+Q==
X-Gm-Message-State: AOUpUlEQJ4A9pakYCIET2RHVbKbN/3T/ZLEnPltQrXa5ePR7arksMHyy Und7nJBnI4IVpllp8M6EoFPfPas56DxQMXX32p7DSHGTNPCdzw==
X-Google-Smtp-Source: AA+uWPyHVVBOs22KXQUTQ3wR939HNSEpy06B7mlObdWDMrkhyqUI74fsrpFOEhp8rYtkjFNeeI8DNDDqBdWuD2Fvx4U=
X-Received: by 2002:a25:9a49:: with SMTP id r9-v6mr1521370ybo.163.1534639108849; Sat, 18 Aug 2018 17:38:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a5b:18c:0:0:0:0:0 with HTTP; Sat, 18 Aug 2018 17:38:27 -0700 (PDT)
In-Reply-To: <5B78BAC1.5070309@redbarn.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <5B7893C9.7000703@redbarn.org> <CAC=TB13WjNJG+Sk8kcudcs9G3dDQcvOyg0ywBJY=90vAynUJLw@mail.gmail.com> <5B78BAC1.5070309@redbarn.org>
From: =?UTF-8?Q?Marek_Vavru=C5=A1a?= <mvavrusa@cloudflare.com>
Date: Sat, 18 Aug 2018 17:38:27 -0700
Message-ID: <CAC=TB12rFZeu8XJf8k0hExie4SEe2HmVYRS=CtgbfkDDUfmF+w@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Ted Lemon <mellon@fugue.com>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/relvmAeYZTodetxlcoygMLqhnXE>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 00:38:31 -0000

On Sat, Aug 18, 2018 at 5:33 PM, Paul Vixie <paul@redbarn.org> wrote:
>
>
> Marek Vavruša wrote:
>>
>> Hi,
>>
>> thanks for comments. This draft has little to do with DoH (the primary
>> focus is DoT), and its comparison to other technologies. It's about
>> network operator being able to advertise that its recursive server
>> supports DNS on more than just port 53. Please let's stay at least a
>> bit on topic.
>>
>> Marek
>
>
> i think stubs should try to negotiate persistent tcp/853 for every address
> they receive from dhcp, and if they can't, they should fall back to doing
> whatever they did before, like try udp/53, and so on.
>
> --
> P Vixie

I agree, this works in the opportunistic profile or with an IP
certificate and trust in CA model.
The pros and cons of this are described in
https://tools.ietf.org/html/rfc8310#section-7.2

It doesn't work for dynamic configuration of ADN or SPKI pins.

Marek