Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Ben Schwartz <bemasc@google.com> Sat, 23 March 2019 22:37 UTC

Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E26FC130E71 for <doh@ietfa.amsl.com>; Sat, 23 Mar 2019 15:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEHS6T_4Mu2N for <doh@ietfa.amsl.com>; Sat, 23 Mar 2019 15:37:43 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B9012D7F8 for <doh@ietf.org>; Sat, 23 Mar 2019 15:37:41 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id r21so1848795uan.11 for <doh@ietf.org>; Sat, 23 Mar 2019 15:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6M7Hcc06xb6nNlRXg1KYr+1mbxvjE9YWpwTz4jnDZ00=; b=ldvu5t98MO+BgMDtcSHCH9/bifK8MfV6cHDKuVLEP1LtvW13k1Zl/yjF30sONT8qYg UteH+T2iM0zzZpQfBJa1ytfHgQP+jPn+czYM8dkZrVZF1I1ENRs7XZsHLStPvLGPqcFl 795SB8+Hn4w9FUoBHkoiQAoWeDNN+Pm+6l5TbSpv8pcOAvXW+oD8oN0f/S9z/UD+dh+1 AtT0EC8OYLGuKiGppiRk64DH9M15x1rz0rFufP9x/xPZc12y7wW6W93zcEytJvprWDNZ VknB42G26CkrkZtnjUswlTEYk42plJe2cCuMxXbBc3KQkac02o9diGHyK3acxszyzc2i 3cog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6M7Hcc06xb6nNlRXg1KYr+1mbxvjE9YWpwTz4jnDZ00=; b=pJwlBt3dXI6H+DZGrs0AcDbVeMkQ/TKJPhMU/+IDHUzxZAPQA3k7mCPAls0H7tNX72 38syCHCao0nRkXfG5XXGfqFkYAfb6JXg6RkzlBlKLs3QKdUKG8FBfgnKJBwBSyRvQMp0 rN/4RlyLh5+9PTbiv4AvSET0hwquBfVttvUqyAkkZjylChFDo4eDX/KC1G6Jxq1NfS+b eNswIVtutJ1LyiIHIcj+f6nn3Ey0NsKNFhRjoZSIjTw05UYbY6CsOTg3PUimYmpIQqN3 +LYGoaWYorbv1P4t4pLGRJH6p4D9IAV+THRmuUicKi5MjMlIPszCu7qSw+MSNHHoZ5Ry B08g==
X-Gm-Message-State: APjAAAWCbU4lx/vCRuVSF+uP9sPI/gPhQe5Z/2xS+9nwu3utIvlgceUH 7Gyvy1f4SvHdbBw/0J8yP9ofnoJudLhvBOK+HQtQAA==
X-Google-Smtp-Source: APXvYqymrka/Du8lOcgCN6MuVcrdlO72S1u2LkLCNaLKJJoJf6QVpjSnpgOp91PHjVpEk3S2W00FdRjICwDve4qjSo4=
X-Received: by 2002:ab0:2248:: with SMTP id z8mr9839425uan.12.1553380660332; Sat, 23 Mar 2019 15:37:40 -0700 (PDT)
MIME-Version: 1.0
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com> <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com> <2695a0e8-8373-8d33-7951-cfc5555ed254@nostrum.com> <CAKC-DJjuv8fVXkEnUHwxoBx4SRLGbhfR-ZxTJGciuKeN6qUgpA@mail.gmail.com>
In-Reply-To: <CAKC-DJjuv8fVXkEnUHwxoBx4SRLGbhfR-ZxTJGciuKeN6qUgpA@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 23 Mar 2019 18:37:29 -0400
Message-ID: <CAHbrMsCSarpMBfFq2cZ83XXdZcxX=zrvv1iziPf0Av9Hj=JgWQ@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Adam Roach <adam@nostrum.com>, Eric Rescorla <ekr@rtfm.com>, DoH WG <doh@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000007c307d0584ca9e5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/BukLJxZ8MMmHk9dbog2HIjM79-E>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 22:37:46 -0000

On Sat, Mar 23, 2019 at 5:41 PM Erik Nygren <erik+ietf@nygren.org> wrote:

> On Tue, Oct 23, 2018 at 11:40 PM Adam Roach <adam@nostrum.com> wrote:
>
>>
>> So, e.g., interested clients would query for a URI record of type
>> _doh._tcp.resolvers.arpa, and get back a full HTTPS URL as a response.
>>
>
> Reviving this suggestion after reading some recent threads, this approach
> (query your local OS-configured resolver for a URI record with a
> well-known name)
> seems like a reasonably cleanish way to opportunitistically get a DoH
> server URI
> associated with the currently configured resolver.   It's arguably less of
> a hack
> than cramming things into a TXT record on a reverse DNS IP.
>

Technically, a DoH configuration is a "URI template", not a URI.
(Typically, this means it contains a substring like "{dns}".)  Do you
consider this similar enough to be good use of the URI RRtype?


> (Martin asked on a more recent thread something along the lines of "why
> don't
> we just do a .well-known lookup against the network-configured resolver,
> and something
> like this seemed like the best equivalent.)
>
> For better or worse it would also work when a caching forwarding resolver
> is present
> in passing through the record from whatever the caching forwarding
> resolver (eg,
> dnsmasq in a home gateway) was pointing to.  It also has the benefit that
> clients don't
> need to know the IP address of their resolver, they just need to be able
> to do a URI record
> lookup against a well-known name.
>
> Especially of the OS helps mediate DoH server selection (which would be
> beneficial
> long-term regardless) the exact OS APIs that exist today are somewhat less
> interesting.
>
>       Erik
>
>
> (Purely for enterrainment value: this well-known name could be in some
> other class
> like CHAOS rather than IN, like some other recursive-resolver-synthesized
> names
> like "version.bind txt chaos".  This is not meant to be a serious
> suggestion.)
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>