Re: [dnsoverhttp] Configured as trustworthy

Ben Schwartz <bemasc@google.com> Fri, 16 June 2017 23:13 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5216F1275C5 for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Jun 2017 16:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZgTP2SmrCuS for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Jun 2017 16:13:32 -0700 (PDT)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 094ED129451 for <dnsoverhttp@ietf.org>; Fri, 16 Jun 2017 16:13:31 -0700 (PDT)
Received: by mail-ua0-x234.google.com with SMTP id j53so19912136uaa.2 for <dnsoverhttp@ietf.org>; Fri, 16 Jun 2017 16:13:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mRQvJC0v6e5zXBudJBdYBUj+jTt4OVXB52BKfWqrFAk=; b=gjPrsbaKEPF8xa77TXHVDXj08xXprfWUhl0G3hfMetSnaWrkCnNrtusw+hHs+IybUI C5M2/KfELDV0bP87rw7SDTyaAuyRzJowJUc/lw4ClOqmot/RVMfHkeClSajoo41ZFUpg tw+NJlyVj39Qsx1R8zb2icBHaLKxhKlwHchYy3gwDWenzAEIbAX2xvMpqRlzAVIDo7pg uzsOdDNYdCemkpaHkce8J4JdjGZxRWQPN1C9oldc7rdv2m+IkchSs5SsGxjl/0eqHQZh 94AM9q4zjjbW4FKoSbnpDVIDbJCA+8wnhhXo0CjwYHgTXbCX0eKMsZkSkL3x5js8GWYq by8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mRQvJC0v6e5zXBudJBdYBUj+jTt4OVXB52BKfWqrFAk=; b=ndIzip4k+85jX5OTSd6HVaGkbNSQnZsipqGaeMIuM7SVtAaYVhqIkMVV66ry/KkdUX Ulb8mzfzDaYDgiaPzpcZJEXj3mjA48mCKciNE0tl9gmpsp6NScoH8/Y/QIsQxS5/PaB3 OaEaJdRP3jg7EITgdWvaNOpMCx0wbpddHMFv6JVZeEwYjGHxJFkvKQh77xz8UROSYm9r 6WZIDF4IFdK3bkygcN/IhC2EiIkNEZYMzkgnjnY/E5NJD/mvY4IPdBa5FpLAjgME5lf/ PBAY3l5V2eVzyv42TMomIeMkXhmPzSDhgnktspAQaGn/Zft3Cqf7lt1uH+6hdEACcb+a 6UGg==
X-Gm-Message-State: AKS2vOz9na1x7bCiDcsnO36dlrH6TzAwNLzMCTqGZ/kuGm5xiwKGeYhp L6ygtEH+uiVlP8VvaWCTM7LmeIi2hEFR
X-Received: by 10.176.7.132 with SMTP id c4mr8635517uaf.141.1497654810686; Fri, 16 Jun 2017 16:13:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.52.12 with HTTP; Fri, 16 Jun 2017 16:13:29 -0700 (PDT)
Received: by 10.31.52.12 with HTTP; Fri, 16 Jun 2017 16:13:29 -0700 (PDT)
In-Reply-To: <D56A2069.3D8C6%goran.ap.eriksson@ericsson.com>
References: <D56A1CF5.3D8C3%goran.ap.eriksson@ericsson.com> <CAOdDvNphAaeLmDnaOPYi_ZNbVVb76uWT6ge=stfc1DKFgUDxOw@mail.gmail.com> <D56A2069.3D8C6%goran.ap.eriksson@ericsson.com>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 16 Jun 2017 19:13:29 -0400
Message-ID: <CAHbrMsBQwSvKL0G=ncAYr4VVb4TkmguedTsa_ayNk4C8qCJ6Mg@mail.gmail.com>
To: =?UTF-8?Q?G=C3=B6ran_Eriksson_AP?= <goran.ap.eriksson@ericsson.com>
Cc: dnsoverhttp@ietf.org, Patrick McManus <pmcmanus@mozilla.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c18b04805dad705521bef78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/32XDxW7DbJle_LFNFqdv8tZIb2w>
Subject: Re: [dnsoverhttp] Configured as trustworthy
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 23:13:34 -0000

I'm really interested in these kinds of questions (user agent behavior,
origin based rules, interaction with dnssec), but it might be worth keeping
them separate from the protocol specification.  Maybe a second doc...

On Jun 16, 2017 3:15 PM, "Göran Eriksson AP" <goran.ap.eriksson@ericsson.com>
wrote:

> Tnx
>
> as with most things https, the protocol doesn't try to define a policy for
> the client - though I think this could still use a little more
> non-normative exploration of the possibilities..
>
>
> Yeah- the value of the MUST is of course dependent of the precision and
> clarity of the text following it, :-).
>
>
> the existing text just asks you to consider the scope of authority for the
> server when considering poisoning attacks. (so a dns api server configured
> for the role of recursive resolver is basically configured as trustworthy
> for everything, but other roles have lesser scope..)
>
>
> Right. Any thoughts about allowing the origin (of a web app) to provide
> the UA with a ‘signal’ on its preferences (fully aware of this more being
> an API question but such matters would have a potential impact on the
> protocol as well)? Or is that outside the scope of this draft/work?
>
>
> _______________________________________________
> dnsoverhttp mailing list
> dnsoverhttp@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsoverhttp
>
>