IETF Logo Mail Archive

Re: [dnsoverhttp] Survey of DNS over HTTP

Shane Kerr <shane@time-travellers.org> Fri, 16 September 2016 10:05 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FAAB12B186 for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Sep 2016 03:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMYZdJKpWkS0 for <dnsoverhttp@ietfa.amsl.com>; Fri, 16 Sep 2016 03:05:29 -0700 (PDT)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EAFB12B0C3 for <dnsoverhttp@ietf.org>; Fri, 16 Sep 2016 03:05:29 -0700 (PDT)
Received: from [2001:470:78c8:2:8451:b161:196c:6f38] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1bkq1M-0004mG-1f; Fri, 16 Sep 2016 10:05:24 +0000
Date: Fri, 16 Sep 2016 12:05:20 +0200
From: Shane Kerr <shane@time-travellers.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20160916120520.6f9c213a@pallas.home.time-travellers.org>
In-Reply-To: <78341ca7-e348-b2f9-7c63-d4c6909ea11b@cs.tcd.ie>
References: <20160914150428.2bc82011@pallas.home.time-travellers.org> <78341ca7-e348-b2f9-7c63-d4c6909ea11b@cs.tcd.ie>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/k4v4.MAtInWSbWP9.+0UUVp"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/rb2VvmvX8vkfInTXTDKlNrBLuqQ>
Cc: dnsoverhttp@ietf.org
Subject: Re: [dnsoverhttp] Survey of DNS over HTTP
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>, <mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2016 10:05:32 -0000

Stephen,

At 2016-09-15 08:28:11 +0100
Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> Hi Shane,
> 
> I have two related questions for which I didn't get answers
> from your fine document.
> 
> 1) Are folks using IP addresses or DNS names in the URLs they
> are de-referencing when using HTTP(S)?

I assume both.

Using DNS names does create a bootstrapping problem, but not a huge
one. After all, current DNS resolvers have a similar bootstrapping
problem when they start. They use a pre-configured set of IP addresses
to start (usually hints.txt) and perform resolver priming:

https://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-09

A client using DNS-over-HTTP can either use a pre-configured set of IP
addresses, or use some other way to map a DNS name into a set of IP
addresses - such as "normal" DNS. :) 

> 2) Are there any functional reasons to ever specifically want
> DNS/HTTP, as opposed to DNS/HTTP/TLS? By functional I mean to
> exclude the obvious simplicity, performance and WebPKI-trust
> reasons why HTTP is "easier" than HTTP/TLS.

By "functional reasons", you mean is there anything that DNS over HTTP
can do that DNS over HTTP+TLS can do? The only specific issue that I
can think of is virtual servers and client-side software that doesn't
support SNI. (Not as crazy at it seems... SNI was only added to
the standard Python TLS library in 2014 for example.)
 
> BTW, the reason these are related is that if folks are using
> IP addresses for the requests, then our current inability to
> get WebPKI certs for IP addresses may be a functional motivation
> for preserving the ability to do DNS/HTTP in clear.

I'm not sure about this. (No, really, I am ignorant!)

RFC 3779 defines X.509 extensions for IP addresses, which is used by
RPKI:

https://tools.ietf.org/html/rfc3779

Also, a quick scan through RFC 5280 indicates that IP addresses can
also be used in web PKI:

https://tools.ietf.org/html/rfc5280#section-4.2.1.6

So it seems possible in principle to use IP addresses in certificates
with current standards.

In general though I'd expect DNS over HTTP clients to use a
pre-configured certificate from the resolver operator... sort of like
when you sign up for a VPN, and you get a certificate to identify the
server that you then configure on the client side. 
 
> From my POV it'd be a bit sad if we need to define yet another
> open-kimono/insecure way to do DNS, so I'd be happier were it
> safe to assume that the client can use a DNS name in the URL
> and can somehow figure out how to resolve that name to an IP
> address. But I don't know if that's a reasonable assumption.

I think that I understand your concern about unencrypted traffic, but
I'm not sure that insisting on it will actually help.

Cheers,

--
Shane

v2.8.7 | Report a Bug | By Email