IETF Logo Mail Archive

Re: [DNSOP] draft-sah-resolver-information (revised)

Ben Schwartz <bemasc@google.com> Thu, 23 May 2019 15:49 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22BED120184 for <dnsop@ietfa.amsl.com>; Thu, 23 May 2019 08:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouBWH-yTh3Hy for <dnsop@ietfa.amsl.com>; Thu, 23 May 2019 08:49:27 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D23B1201A8 for <dnsop@ietf.org>; Thu, 23 May 2019 08:49:09 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id q13so3893748vso.2 for <dnsop@ietf.org>; Thu, 23 May 2019 08:49:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PD4Da+jbB+rM9MWFFm9vhFFYs0ZOhX8D02kIJ62il1k=; b=aMf2xwIWe4tctIw6mYWz/wbEQ/VwCFn56ospEPmHJYDSWxaoileIv951F97PHb74Yw pNe5QLGqnfjI97/fzww2I8rJlCaq4sTThqveeDhoy4B09E0zb/sgcsOQn0VMpQbRVb0b sjVxvQuNyYqRWXTgdOaExYxaBwN8pvokFpfv2twbefkV2mXtbvquBEfapMbZMkI5YDcX mC9NfG3DeQw9oANVa8CUVEZweqLiXrpFmu8aNCJ785j+XPI9ZOURp2oBGsHxVdbrodjI KWDzsKZrL6hbvKhV4VXRDTiwcUIcTr61VcaFsrci0LmFYEmy2GoHvKEPnw7b58mJfi9o Uuog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PD4Da+jbB+rM9MWFFm9vhFFYs0ZOhX8D02kIJ62il1k=; b=RWbtpKmGcXlNIGL1KlgnmtAoeQNPQaxGWk4VrqKIn/b1KgBiRup06NGsd1mFCoM43T +rI87q+yxSKZ7epDYrhEwnQ89JQg1z5RdE0ZTrCJiEeFb7yDKXcjxqDr8mI4GpYl2RrI 17SBc5ZJUHYJybhDcHirLCqfOBd4GIKGppvPL9xOXWrLcnXF1e4we+TRHsRTOprpRP1+ kbYuPwCpqDOSq/pDFA8mjBegHstuFFcT9dZXWGbLAwT/fYew1+wZ26cZct2oN7fS57lc XFbT+ItTmmYuTHQhF4JG32KDCJmDz1KZSX4LrE4vkCCCxs9BeA/kP9zda6yLECqH57oN qUVA==
X-Gm-Message-State: APjAAAXcEJBTcCBDfwDok172d9y892z8j8MvaQy42QwPi85BAwmd4Rtl getAeyEL9O6m+2cT3sAkcDRqD4fg2jcBi8P7leu16np2
X-Google-Smtp-Source: APXvYqxTxturaZ9tgtvRIPG2+nPaT62AigzT9/cMRzATNQe1MHyMJ0AO+YkNimTMqAXy7/g0sfnwoonq37/Z6jOqoBg=
X-Received: by 2002:a67:f589:: with SMTP id i9mr16211535vso.152.1558626547623; Thu, 23 May 2019 08:49:07 -0700 (PDT)
MIME-Version: 1.0
References: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org> <alpine.LRH.2.21.1905151256480.22294@bofh.nohats.ca> <C3668C33-E3DB-4267-AF5B-FDC46262CC8F@icann.org> <alpine.LRH.2.21.1905152258340.18222@bofh.nohats.ca> <0F4F5B08-A81B-48D4-AAFE-F89FEE980F9A@icann.org> <CAKC-DJhmQMMCRJAJTB4ZG1MmxohKS12KPXuBwwbmVXFR=ubWFQ@mail.gmail.com>
In-Reply-To: <CAKC-DJhmQMMCRJAJTB4ZG1MmxohKS12KPXuBwwbmVXFR=ubWFQ@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 23 May 2019 11:48:55 -0400
Message-ID: <CAHbrMsB=4Kr0D67XKLP=uuHGOvO_+=0T=+JJK-V6sGiS5rnQ5g@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000be2b110589900571"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/s6yD40ty99mNLACWSPj46V7ehik>
Subject: Re: [DNSOP] draft-sah-resolver-information (revised)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 15:49:31 -0000

Instead of "domains-to-match", with IP addresses in the templates, I would
prefer an optional "ip-addresses" field listing some addresses, with domain
names in the templates (unless the server intends to use an IP cert, in
which case it would be an IP in the template).  This would also address
Erik's question about SNI.

On Wed, May 22, 2019 at 10:02 PM Erik Nygren <erik+ietf@nygren.org> wrote:

> Some comments:
>
> * We should define what TLS SNI value gets sent.  Perhaps the first value
> of "domain-to-match" when present, but preferably the hostname of the URL
> when it's not an IP?
>
> * Should clients consider the templates list to be ordered or unordered?
> We may wish to define the behavior for handling multiple entries.  (A
> common case might be both an IPv6 and IPv4 address.  Some clients might
> only have only one of those, so would need to filter appropriately, and
> operators may wish to specify an ordering preference such as
> IPv6-preferred.)
> * It would be worth a conversation with the people working on PvD in
> IntArea to see if there is some alignment (eg, in-terms of JSON practices,
> and perhaps even with PvDs being able to include or reference a
> resolver-information block).  There might be a path here that could also
> help with the split-horizon case.
>
> * With the draft-sah-resolver-information framework, we may wish to also
> have an attribute or draft for specifying the DNS64 prefix to allow
> client-side DNS64 synthesis.  (On the other hand, there are also drafts to
> send this via an RA option as well as some other paths in-addition to other
> mechanisms.  So perhaps another mechanism isn't needed.)
>
>       Erik
>
>
>
>
> On Wed, May 22, 2019 at 6:30 PM Paul Hoffman <paul.hoffman@icann.org
> <paul.hoffman@icann..org>> wrote:
>
>> Greetings again. Based on the input from the DNSOP and DOH lists, we
>> revised draft-sah-resolver-information. We also created a new draft,
>> draft-sah-resinfo-doh, to cover the main use case we have for getting
>> information from a resolver, namely to get the DoH URI template and
>> authentication information.
>>
>> >From the mailing list traffic, it seems like some of y'all only care
>> about getting resolver information from DNS (hopefully DNSSEC-signed),
>> while others are fine to use HTTPS with web PKI authentication,
>> particularly when DNSSEC signing is not possible. We have left both methods
>> in the main draft.
>>
>> We encourage more input.
>>
>> --Paul Hoffman
>>
>> ======
>>        Title           : DNS Resolver Information Self-publication
>>        Authors         : Puneet Sood
>>                          Roy Arends
>>                          Paul Hoffman
>>         Filename        : draft-sah-resolver-information-01.txt
>>         Pages           : 9
>>         Date            : 2019-05-22
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-sah-resolver-information/
>>
>> ======
>>        Title           : DNS Resolver Information: "doh"
>>        Authors         : Puneet Sood
>>                          Roy Arends
>>                          Paul Hoffman
>>         Filename        : draft-sah-resinfo-doh-00.txt
>>         Pages           : 5
>>         Date            : 2019-05-22
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-sah-resinfo-doh/
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email