Re: [Doh] WGLC #2

Patrick McManus <pmcmanus@mozilla.com> Wed, 23 May 2018 21:44 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F77212D77C for <doh@ietfa.amsl.com>; Wed, 23 May 2018 14:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id in8LWcs9X0HY for <doh@ietfa.amsl.com>; Wed, 23 May 2018 14:44:42 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5AB127010 for <doh@ietf.org>; Wed, 23 May 2018 14:44:42 -0700 (PDT)
Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com [209.85.218.46]) by linode64.ducksong.com (Postfix) with ESMTPSA id BFDFA3A043 for <doh@ietf.org>; Wed, 23 May 2018 17:44:40 -0400 (EDT)
Received: by mail-oi0-f46.google.com with SMTP id y15-v6so20875204oia.13 for <doh@ietf.org>; Wed, 23 May 2018 14:44:40 -0700 (PDT)
X-Gm-Message-State: ALKqPwefBFN2qK6LDAlDAGGWJnzk80Xpd81E8G9N/GAID2AwKm3kydhS RY+5UayDbBuZEsbOebvEeln+rg5BPk7oUDqzoRk=
X-Google-Smtp-Source: AB8JxZptqgoe+ASv55ylhfyBmLBkLvNZkhb9RE+Ku8wQonIqNJTQOxpy+L1RFmLRtTVDbRM0bYc0hczB8YB8TDwfVdk=
X-Received: by 2002:aca:cd0b:: with SMTP id d11-v6mr2386422oig.337.1527111880474; Wed, 23 May 2018 14:44:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a24:0:0:0:0:0 with HTTP; Wed, 23 May 2018 14:44:39 -0700 (PDT)
In-Reply-To: <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com>
References: <CAHbrMsCxkogJ-fzubf7cPgvbeGAhWUFKV3crrmn4ee6=fDnqwQ@mail.gmail.com> <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com> <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 23 May 2018 17:44:39 -0400
X-Gmail-Original-Message-ID: <CAOdDvNrW0qGn1V1s+fWhtn+LV-YiNEu66wp030_Jv-7EW2WhgA@mail.gmail.com>
Message-ID: <CAOdDvNrW0qGn1V1s+fWhtn+LV-YiNEu66wp030_Jv-7EW2WhgA@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: "Hewitt, Rory" <rhewitt=40akamai.com@dmarc.ietf.org>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b07a3056ce671f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/39f6wvSRvjy0Rz60CSNKLdNMFOo>
Subject: Re: [Doh] WGLC #2
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 21:44:44 -0000

On Tue, May 22, 2018 at 11:37 AM, Sara Dickinson <sara@sinodun.com>; wrote:

>
> 1) I previously asked if this spec required that a DNS API Sever should
> only be used if authentication of the TLS connection was successful. I got
> conflicting answers from Paul and Martin (‘No we can’t say that’ vs
> ‘authentication is critical and implicit’) and don’t see anything in this
> version that resolves this. I know there is other work attempting to
> address this issue (and more) but the lack of clarity in this document on
> the topic is still an issue for me. I’d still like to see a single sentence
> that either
> - makes clear the requirement (preferable) or
> - states that this is out of scope
>
>
Martin is right - I'm not sure where the confusion originated.
Authentication is part of HTTPS. I know dprive went down the road of
opportunistic security, but that's not something HTTPS does. (plaintext
http:// might, but we're pretty clear about doh steering clear of that.)

https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/186

does this work?

 -DNS API client MUST only use a DNS API server that is configured as
trustworthy.
+DNS API client MUST only use a DNS API server that is configured as
+trustworthy. {{RFC2818}} defines how HTTPS verifies the identity of
+a connection with the trusted service.