Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

bert hubert <bert.hubert@powerdns.com> Wed, 23 January 2019 14:37 UTC

Return-Path: <bert@hubertnet.nl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD844123FFD for <doh@ietfa.amsl.com>; Wed, 23 Jan 2019 06:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZP2cR4suCuW for <doh@ietfa.amsl.com>; Wed, 23 Jan 2019 06:37:24 -0800 (PST)
Received: from xs.powerdns.com (xs.powerdns.com [82.94.213.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287E5124408 for <doh@ietf.org>; Wed, 23 Jan 2019 06:37:23 -0800 (PST)
Received: from server.ds9a.nl (ip565244ed.adsl-surfen.hetnet.nl [86.82.68.237]) by xs.powerdns.com (Postfix) with ESMTPS id EF7869FD6E; Wed, 23 Jan 2019 14:37:14 +0000 (UTC)
Received: by server.ds9a.nl (Postfix, from userid 1000) id C8236ACC4E1; Wed, 23 Jan 2019 15:37:14 +0100 (CET)
Date: Wed, 23 Jan 2019 15:37:14 +0100
From: bert hubert <bert.hubert@powerdns.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: "A. Schulze" <sca@andreasschulze.de>, DoH WG <doh@ietf.org>
Message-ID: <20190123143714.GB18473@server.ds9a.nl>
References: <8999D6F3-600E-4F1A-903C-10F8CAA6E4F3@icann.org> <6f2860bd-2a7f-01b5-2ec9-9667d71e3f38@andreasschulze.de> <CAHbrMsAB4GaUJXY1VyQVc0QonY9afGUzWdT5znPw+K4M2V=kNQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHbrMsAB4GaUJXY1VyQVc0QonY9afGUzWdT5znPw+K4M2V=kNQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/ArWy3ZevE1UoYq_tgkpl5ecQP-A>
Subject: Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 14:37:26 -0000

On Wed, Jan 16, 2019 at 01:28:03PM -0500, Ben Schwartz wrote:
> DNS over TLS already supports a way for clients to upgrade from unencrypted
> DNS, by probing port 853 on the server's IP address.  I presume that's why
> DNS over TLS discovery was not mentioned in this draft.  Is probing port
> 853 sufficient for your use case?

With my "large scale internet service provider constituency" hat on, a major
problem for them is that many deployed CPEs announce themselves as
nameserver. So over DHCP they will tell clients to use 192.168.1.1 for DNS.

This leads opportunistic DNS over TLS clients to probe the modem/router/CPE
for TLS support.  For many reasons, CPEs are hard to change substantially,
so it is not that easy to add 853 proxying or an actual DoT server on these
boxes.

So service providers would love to be able to configure a DoT server that
lives on a different IP address than the regularly configured plaintext
nameserver.

	Bert