Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Marek Vavruša <mvavrusa@cloudflare.com> Tue, 21 August 2018 02:08 UTC

Return-Path: <mvavrusa@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDDA130DC9 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R68DgnfpAfpv for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:08:19 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 689A0130DF2 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:08:19 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id o17-v6so5412426yba.2 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:08:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eMRMtgcvoud7BQ0+PYAvL1HPnosYbJ3DzzUr6CgkeNI=; b=oBHeMkSgXcGCkfW1vo+0/qH8pz6Nn4TO2kQHa4Iu/BKJ54orS8Hgq1VEXXyWze97yC 01ndnoD45ndGi/0dTuItsXIkTHzy46WTKQTczRRjaWY1G0P3k57LeViYROFp0G7Fw84C CO2ErMBzlpjJQvluazmGbXpGnPLozBCo/9t9A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eMRMtgcvoud7BQ0+PYAvL1HPnosYbJ3DzzUr6CgkeNI=; b=Ge2bu9rKmgsx3o/Sf9yb9qD/JdMNYNuk0TmxQBNHn3NJC4joipMtQI+S7UDvL6/SgW YHh4rY09jo4UVcL8G8PJPCLZ7L9AYSXSgIbpqD+fwMk020cE6bCfG2Lg4/rWLhXzA+k3 KbiKmHKs/Jw5L23Fdur1Jew6IVCHohOAN7ur3Sx/yCPCrl0vnNmGLclN/I80DVJWg7JO d3kpWBsaWwpyH2XL3UfLuweFfrDi4gXGquoPtQtBiS9N5e2FKemp/REcYTvJI7BGi5y6 GfzW4vA7KHESOYyKEAlGwYsGxerQ1H+j14pH9R/cH2oWdPf5jKZVAix6rxVFJnpqqjrM xpTw==
X-Gm-Message-State: AOUpUlHWsK7nb0yz+pxgK2nqArxfdr+MXCjasolkaOGRV5hj8gkiwAS0 xsjfv8G7/LOkr8XYSVQqt196FnqH/FkQcptZ4x/kv3cXoII=
X-Google-Smtp-Source: AA+uWPw0h8YH3iDT/LAuegKtmPiMv9aer73+ovv1a4QNV1v59g1cBLTkR8eUw+KMECsnYG7AjuBFG6xOKUMJkzR38Hg=
X-Received: by 2002:a25:9a49:: with SMTP id r9-v6mr5914410ybo.163.1534817298620; Mon, 20 Aug 2018 19:08:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:a045:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 19:08:17 -0700 (PDT)
In-Reply-To: <5B7B71DB.8020908@redbarn.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <alpine.DEB.2.20.1808201720060.3596@grey.csi.cam.ac.uk> <23C2BA0B-B4A7-49F2-9FFD-90B90E2928B5@bangj.com> <56B7EA81-A840-4320-BDD0-781E9D999904@vpnc.org> <B5CCB149-BEE2-46D4-BF3C-C32D5BCA3EA3@bangj.com> <5B7B71DB.8020908@redbarn.org>
From: =?UTF-8?Q?Marek_Vavru=C5=A1a?= <mvavrusa@cloudflare.com>
Date: Mon, 20 Aug 2018 19:08:17 -0700
Message-ID: <CAC=TB13A=C4RkV9CUQgdmbSSKacTcM+koJg5pOWy_UmtypiegA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Tom Pusateri <pusateri@bangj.com>, dnsop <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tqQE_R97S60DW_neWlQnxD-jeR4>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 02:08:21 -0000

On Mon, Aug 20, 2018 at 6:58 PM, Paul Vixie <paul@redbarn.org> wrote:
>
>
> Tom Pusateri wrote:
> ....
>>
>> One more point (from the Android crowd) was that they are going to try
>> to connect to the DNS server’s IP address using port 853 using DoT at
>> the same time they are trying to resolve names over port 53 with UDP. If
>> they’re able to make a DoT connection, they’ll use it. This doesn’t
>> provide for a way to have an ADN to verify the certificate but a PTR
>> query can give you a name to do certificate validation and/or DANE
>> validation. So they seemed to be making the point that no DHCP
>> extensions were necessary.
>
>
> that's a cool hack, showing once again DoT's superiority over DoH.

This has been used to detect DoH support in dnscrypt-proxy as well.
One subtle issue with probing is that "it doesn't work" is not the
same as "it's not supported".
It can mean that port/traffic is being blocked, client is
incompatible, crypto is incompatible, etc.,
so it's difficult to distinguish whether the service is being offered
but unavailable for various reasons,
and service not being offered.

> --
> P Vixie
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop