Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Olli Vanhoja <olli@zeit.co> Sat, 23 March 2019 21:10 UTC

Return-Path: <olli@zeit.co>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791851200B3 for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 14:10:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zeit-co.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmAoZey_2vPE for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 14:10:02 -0700 (PDT)
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9157B130D7A for <dnsop@ietf.org>; Sat, 23 Mar 2019 14:10:02 -0700 (PDT)
Received: by mail-lj1-x242.google.com with SMTP id j89so4756634ljb.1 for <dnsop@ietf.org>; Sat, 23 Mar 2019 14:10:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zeit-co.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=wMw+rtf6W/MjHu/OKZOk0jSU1QagRdB7PH57SAvTj40=; b=zPXzLn4VzSeBWaQ4LabsiPFUhgvBU+KbMDBhzskGRZf73YYJenwkgCWrKboOJ/WUsB mfwm5tflAhBu58gqC4Z8CQWUd5ONWOods1sZKF+s/bIpMHwHhlFc9N7JsAXNFivOcbdJ e2zIIlpkCuh49xx1AhzWBChWa8BK77cFsv6FgNSt7b2iqdsq5HtwL7avELo57n77wbkK IMYu4tVLhGhGmecrhCQ9DdlJf4NayOr0W6N4/nJEb3zWsjOiUO6A+nQ43TBPaA4K464L w4oKxNfKHcR41NA6dduxEfv5LD7RSa9KADs12oTaC3JMz2C3sCotHsEB411JIPmnxOpV rgWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=wMw+rtf6W/MjHu/OKZOk0jSU1QagRdB7PH57SAvTj40=; b=ooYGYt2JxfX4ZW9aBg5TdLFyJ1Kzlk6ROTjllB51gVFxLH4Bh+4XhYBbUqmqZs3RNU TAEPLc0VBPVkQpicosawc3SBxrdiByTKporS0vhudAl6N9X/8VlPX09XdH75tKXFVWyW 5G9Jam4JofM3JDou408gcjJS+sf9wOVbxTJF0VFduec3ToAFmsb/zsWNwV8fHnEp5lXR 9EsStyydvgaQkPhxUCWec21wH4syXFwC6y3UjaQ8q831LhXNIDjNWBa89z53LeOn6KnH IRWHtfighTeuaaWSfromjPoYT9/N61I9eTOuKfi3BB5pIHfg7unfAn8iwIAi2gWiwpgz lgDQ==
X-Gm-Message-State: APjAAAUfHCiAr9B6LTNJamPA4VVpWmrqL4+z8Yav+DBzB9nODmsCX7x3 82lHyJLr3EBF17uhQEfmq4lk7HwhJA+ktAn7luT+fIKgFSY=
X-Google-Smtp-Source: APXvYqzMMfMME+MJ3ZJFY3kj3zpr56z7gnSrxLM6Txni0WQeh/1cSvoNNr5bQ6gQIP1K8Fhh22xKXNAnCkaqGNx+5+c=
X-Received: by 2002:a05:651c:d7:: with SMTP id 23mr8814788ljr.5.1553375400242; Sat, 23 Mar 2019 14:10:00 -0700 (PDT)
MIME-Version: 1.0
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> <ybl5zsaxmmr.fsf@wu.hardakers.net> <ffc14e6e-5462-bdb2-0c80-336e5d311818@redbarn.org>
In-Reply-To: <ffc14e6e-5462-bdb2-0c80-336e5d311818@redbarn.org>
From: Olli Vanhoja <olli@zeit.co>
Date: Sat, 23 Mar 2019 22:09:49 +0100
Message-ID: <CABrJZ5F+s_+zfN_CMvOdhXBU1M6hDakGDV4wa7Ya9kAwZ3btSQ@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ef441a0584c96438"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/siSZd3qGo-RTaQ_UCcjotwGHSco>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 21:10:04 -0000

If I'm not mistaken, currently the solution used by at least Cloudflare
bootstraps using traditional DNS as the certificate they are using for DoH
is just a standard X.509 certificate issued by DigiCert. I believe you
could just hardcode both the host and IP address on the client side if you
want to avoid this "legacy" step.

On Sat, Mar 23, 2019 at 9:38 PM Paul Vixie <paul@redbarn.org> wrote:

>
>
> Wes Hardaker wrote on 2019-03-22 21:03:
> > Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org> writes:
> >
> >>    * We are considering a first milestone where Chrome would do an
> automatic
> >>      upgrade to DoH when a user’s existing resolver is capable of it.
> >
> > Sorry for the delayed question, but with respect to this bullet:
> >
> > 1) ...
> >
> > 2) ...
>
> while i feel and echo wes's two questions, mine is different.
>
> if all you have is an ip address (say, from dhcp or resolv.conf), how
> would you decide whether the https endpoint you found at that address,
> was using an x.509 key you had any reason to trust? https wants names.
>
> i've run into this before. http://dot.tt.ed.quad/ is an easy grab, but i
> don't know how to negotiate for https://dot.tt.ed.quad/. if this is a
> solved problem, then i apologize to all present, for not doing my
> homework before opening up in public.
>
> --
> P Vixie
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>