IETF Logo Mail Archive

Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt

Martin Thomson <martin.thomson@gmail.com> Wed, 21 September 2016 02:10 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDF912B046 for <dnsoverhttp@ietfa.amsl.com>; Tue, 20 Sep 2016 19:10:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rid--IiFilcM for <dnsoverhttp@ietfa.amsl.com>; Tue, 20 Sep 2016 19:10:36 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D63E12B16B for <dnsoverhttp@ietf.org>; Tue, 20 Sep 2016 19:10:36 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id 11so16479727qtc.0 for <dnsoverhttp@ietf.org>; Tue, 20 Sep 2016 19:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dJoSe3kRNqzDZXkK9bqRkbJ05a6BuVw/QqNV0SiFQe4=; b=eF+IhAxfnT2MbLIbUam+jYU51j8I9U5eIvgscn52+6pJudVCoSENv0CXsuBmxs3cWG h6pdwNavRcBk3CpG65Ot0nLJRWllhko7yej1dJoPYp1F1qNjWtH5s8tj6FWd/Fv8x8pR w91mfvPAJi6LFOWLrynyE0QzYGmlp/6xYs4e1WaZF8NLtfimNHHPRPVgKLZ67T1oVfYq yQlPVShO8kxehleRcNV6/8MaS3ScYUmrBswOtqdebxo1Vba73o+95R6SJ7tZjNrpL5PQ dHKAvdtWMye0Vid13Yhqx1CIFyIhVc2IZ9ZSbMLLdG/uAae5HXzu1s4gsVk9zZrZ7Tks Me/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dJoSe3kRNqzDZXkK9bqRkbJ05a6BuVw/QqNV0SiFQe4=; b=JRTJNbXfPE7Ue2KqPk4S4ADYloQuae6QMwvh5E6cxco4Dr2JtO9U4DAtu1VhqmucaP 9CZGmYfrAE4ZmmtOu/+xfSEP4Uj9nWeq2E34DPZSLEmsa0tLDrMV2trO5s8cxccOVOp4 oCQJNG18aABbvqLe5quJvF+18BsnfjStf2WsHQ1HhNjeZm+eEopwpkx1AGyoD7z2t9NY jO8o7JQ6fx5iJoZ0M40kyd24T52pyZPQss9wCgLWwDFEaRQDAwRXCRAKsPjXmgEr5hIY +awHzNkltB0Kas+yFItVA4BL4PtNCJCWVo81DrKkV2rAmoyZgcpYV7ddTM31PirKyrGx ZFSQ==
X-Gm-Message-State: AE9vXwMi05vGNrlCp2a7ozdihM7fr5dnY39kxfWVsGfZKaKbLzbAj4SIe9wayenFoq37bNDG7Yfe0OUUayy0RQ==
X-Received: by 10.237.47.6 with SMTP id l6mr39357783qtd.132.1474423835378; Tue, 20 Sep 2016 19:10:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.146 with HTTP; Tue, 20 Sep 2016 19:10:34 -0700 (PDT)
In-Reply-To: <CA+9kkMBqN8Y-h27C7Cde4omO9jLsYpvhsyieFfG9YyS9+K_j9g@mail.gmail.com>
References: <147438228195.28999.4355943522486567954.idtracker@ietfa.amsl.com> <D1E3CC44-FE5A-4ACE-90A1-EF9B5EE975D7@icann.org> <CA+9kkMATL4RVv=RCmS0nqks2OWB1aQSeNcZ_-zyqHBnv5eYmLg@mail.gmail.com> <AF616D4B-A22B-4CB7-AD20-29B4E6107276@icann.org> <CA+9kkMCsX9=+uWmAAydW5yuda_Jzs+qX6MBZBq0ztQKOsEDndQ@mail.gmail.com> <14CE5326-52FD-405F-A17F-1BBE5FC32929@icann.org> <CA+9kkMBqN8Y-h27C7Cde4omO9jLsYpvhsyieFfG9YyS9+K_j9g@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 21 Sep 2016 12:10:34 +1000
Message-ID: <CABkgnnUnKezkspqFBW4JFaQr2q4=BmUTwy3MWEtF62rt_TvCRQ@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/HhoaHcx7NfJoPLcl7pb9PHNntJU>
Cc: "dnsoverhttp@ietf.org" <dnsoverhttp@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
Subject: Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2016 02:10:37 -0000

On 21 September 2016 at 09:02, Ted Hardie <ted.ietf@gmail.com> wrote:
> That can't be corrected by DNSSEC, since it is correctly signed.

It can be corrected by making another request.

I find the unstated point that you are pushing on quite interesting:
DNSSEC doesn't authenticate all the things that might be important in
the protocol.  Or maybe that there still remains some need for trust
in the protocol when it comes to recursive resolvers.

> For the server push case, I pretty much assume that the only trusted DNS
> resources from https://blogplatform.example.com/ will be those related to
> example.com (hello, public suffix list and dbound!)

That would negate much of the value of having this sort of feature.  I
can see several ways around this.  The easiest being to scope the use
of the record until it can be independently verified.

The tracker can use alt-svc, or push its own records to update the
client's view and correct any infidelity.

If pushed record use is limited to the current site, then the tracker
might be affected, but that only negatively affects the perception of
the site that includes the tracker.

v2.8.7 | Report a Bug | By Email