Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt
Ted Hardie <ted.ietf@gmail.com> Tue, 20 September 2016 23:03 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id CF96412B10D
for <dnsoverhttp@ietfa.amsl.com>; Tue, 20 Sep 2016 16:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FTUfebFbysms for <dnsoverhttp@ietfa.amsl.com>;
Tue, 20 Sep 2016 16:03:16 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com
[IPv6:2607:f8b0:4003:c06::232])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id EFD0F12B011
for <dnsoverhttp@ietf.org>; Tue, 20 Sep 2016 16:03:15 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id t83so40364146oie.3
for <dnsoverhttp@ietf.org>; Tue, 20 Sep 2016 16:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=jE1EdCmWNyX2AXakhJMVvPLF4mlpk9lGuS9aptT65SI=;
b=OkMQfMXGOcfIOTmmKdmZ2OdmOiVB2BYAyzTwrm4eL00H72Lll/0/XatD2YJdRAfXfH
2kg48nIanmMYnO8kQeWfde62X79blUXHAHvkWb30hpsqtDo3dXqf9Ew8jA7qi27wgXGr
uCfF6INd+xVHFwQbv4yHyFrZlnNajp5AHMr9cNrLN84D2mjf+yJQfbTXywT1GC+Ps+ov
8Mh2TGgHLnkMu55Xa0Du8poCThfHS9a68Bzf6LMviXIoji3O2pMmVmnVM189ddcjDrzf
QypUrqMsVuyGsIOn9lYNFcxYtFLKDU+qJN3k2/DDM0Iz+KqDHp8WPsOJhHenxEgYlj3S
3fhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=jE1EdCmWNyX2AXakhJMVvPLF4mlpk9lGuS9aptT65SI=;
b=UYlezl0Bvqm9CsQ6cURJfoQiiXa+LlfY1psmfCCDnIII/2opxbQy8xPONeZAMK4m3i
1F0ZZw5GJqe+lijviEw2C+S6JYLKH3g6PwSk/Ba2L0VE9MDhp19QuLgfYEnPeU6STW92
d5Ipw/e3+narE67xfRHiOI8ahzuIu9bpQduPwe5pyJAHzzjHASltEIpMXNLMG674xB//
rZ30I1R2vEtwu9XVdcAAD7Z0BoqONBtdWAbdm4E0ZdzEXUx6ARSNGAVkLwOHprHxcb40
TUDffqKdXa76+5m1H/5rYXR97NlAM4I/mYOl4Zm4/Z+1oBsjitAR+Lea4VSiwdXOYbr6
FeUw==
X-Gm-Message-State: AE9vXwMZpE6fWZaxltv8gT7fzPRMmoZhZRTeX4f7HDgTh2OJEtgftf3i7tK1Zs4D1UQIJurtkQiTlLFHFn6O4w==
X-Received: by 10.202.192.5 with SMTP id q5mr4317043oif.71.1474412595344; Tue,
20 Sep 2016 16:03:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.85.72 with HTTP; Tue, 20 Sep 2016 16:02:44 -0700 (PDT)
In-Reply-To: <14CE5326-52FD-405F-A17F-1BBE5FC32929@icann.org>
References: <147438228195.28999.4355943522486567954.idtracker@ietfa.amsl.com>
<D1E3CC44-FE5A-4ACE-90A1-EF9B5EE975D7@icann.org>
<CA+9kkMATL4RVv=RCmS0nqks2OWB1aQSeNcZ_-zyqHBnv5eYmLg@mail.gmail.com>
<AF616D4B-A22B-4CB7-AD20-29B4E6107276@icann.org>
<CA+9kkMCsX9=+uWmAAydW5yuda_Jzs+qX6MBZBq0ztQKOsEDndQ@mail.gmail.com>
<14CE5326-52FD-405F-A17F-1BBE5FC32929@icann.org>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Tue, 20 Sep 2016 16:02:44 -0700
Message-ID: <CA+9kkMBqN8Y-h27C7Cde4omO9jLsYpvhsyieFfG9YyS9+K_j9g@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/alternative; boundary=001a113dddfaff7ca8053cf86e4f
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/CjsHH47QPwCS87m8yknBumY8qRU>
Cc: "dnsoverhttp@ietf.org" <dnsoverhttp@ietf.org>
Subject: Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>,
<mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>,
<mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 23:03:18 -0000
On Tue, Sep 20, 2016 at 3:37 PM, Paul Hoffman <paul.hoffman@icann.org> wrote: > > https://blogplatform.example.com/, and it wants me to know the dns info > for securedimages.example.com, what does it do in this mode? > > > We're quite open to suggestions here. I would hope that the pushing would > be done in the same way that it is done for other resources in H2. > > > In the server push case where the initial page is HTML containing references to a bunch of resources, the server pushes the resources it believes the client will need to render the HTML. In your ID, you have a different server provisioned by DHCP, RA, or config for resolving DNS queries (the DNS API server is distinct from the content server, at least as I read it now). I'm not sure that use case and the server push use case meld easily. If you allow the content server to provision itself as a DNS API server, then it could push resources, but you have a scoping problem, because it is now a general-purpose recursive resolver. That opens you up to some bad attacks. Imagine, for example, that https://blogplatform.example.com/ references a resource at a quasi-competitor, https://likeengine.example/. The first server can push a DNS answer that applies to all of likeengine.example's resources. The naive attack here blackholes likeengine.example, but there are more subtle attacks, like giving you a correct address for likeengine.example that happens to be pessimal (like one at their datacenter on a different continent). That can't be corrected by DNSSEC, since it is correctly signed. For the server push case, I pretty much assume that the only trusted DNS resources from https://blogplatform.example.com/ will be those related to example.com (hello, public suffix list and dbound!) To fit that use case, you'd need to have the DNS API server scoped in this case and unscoped in other cases. regards, Ted
- [dnsoverhttp] New draft: draft-hoffman-dns-over-h… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson