Re: [dnsoverhttp] Configured as trustworthy

Patrick McManus <pmcmanus@mozilla.com> Fri, 16 June 2017 21:47 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06ED1242F7 for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Jun 2017 14:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRGXuqJwdp67 for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Jun 2017 14:47:10 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id BD3351204DA for <dnsoverhttp@ietf.org>; Fri, 16 Jun 2017 14:47:10 -0700 (PDT)
Received: from mail-qk0-f181.google.com (mail-qk0-f181.google.com [209.85.220.181]) by linode64.ducksong.com (Postfix) with ESMTPSA id 726E13A019 for <dnsoverhttp@ietf.org>; Fri, 16 Jun 2017 17:47:09 -0400 (EDT)
Received: by mail-qk0-f181.google.com with SMTP id r62so1269975qkf.0 for <dnsoverhttp@ietf.org>; Fri, 16 Jun 2017 14:47:09 -0700 (PDT)
X-Gm-Message-State: AKS2vOw1NfRTkXl4RS+xKbctPp539c8wTtzVOWrOt6NmN/zJnagyjTuw NbloIAM4fb1pINfrjJZfhEGiiws9lw==
X-Received: by 10.55.20.147 with SMTP id 19mr1413557qku.204.1497649629238; Fri, 16 Jun 2017 14:47:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.183.85 with HTTP; Fri, 16 Jun 2017 14:47:08 -0700 (PDT)
In-Reply-To: <D56A1CF5.3D8C3%goran.ap.eriksson@ericsson.com>
References: <D56A1CF5.3D8C3%goran.ap.eriksson@ericsson.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 16 Jun 2017 17:47:08 -0400
X-Gmail-Original-Message-ID: <CAOdDvNphAaeLmDnaOPYi_ZNbVVb76uWT6ge=stfc1DKFgUDxOw@mail.gmail.com>
Message-ID: <CAOdDvNphAaeLmDnaOPYi_ZNbVVb76uWT6ge=stfc1DKFgUDxOw@mail.gmail.com>
To: =?UTF-8?Q?G=C3=B6ran_Eriksson_AP?= <goran.ap.eriksson@ericsson.com>
Cc: "dnsoverhttp@ietf.org" <dnsoverhttp@ietf.org>
Content-Type: multipart/alternative; boundary="001a11400e5c261d6e05521aba88"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/IQoOdevqjlWVTd8Pu_LXdBIGP-0>
Subject: Re: [dnsoverhttp] Configured as trustworthy
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 21:47:13 -0000

as with most things https, the protocol doesn't try to define a policy for
the client - though I think this could still use a little more
non-normative exploration of the possibilities..

the existing text just asks you to consider the scope of authority for the
server when considering poisoning attacks. (so a dns api server configured
for the role of recursive resolver is basically configured as trustworthy
for everything, but other roles have lesser scope..)



On Fri, Jun 16, 2017 at 5:40 PM, Göran Eriksson AP <
goran.ap.eriksson@ericsson.com> wrote:

> Hi,
>
> Minor question on draft-hoffman-dns-over-https-01:
>
> Section 9 states:
>
>  Instead, a client MUST only trust DNS API server that is configured as
> trustworthy.
>
> Perhaps obvious to many but may I ask for a more precise definition of
> what is meant by “configured as trustworthy”?
>
> Best Regards
> Göran
>
> _______________________________________________
> dnsoverhttp mailing list
> dnsoverhttp@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsoverhttp
>
>