Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
Eric Rescorla <ekr@rtfm.com> Wed, 24 October 2018 03:19 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D1C9130DFD for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 20:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNwzu9srXWWN for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 20:19:16 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47314130DDA for <doh@ietf.org>; Tue, 23 Oct 2018 20:19:13 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id x24-v6so2783257lfe.5 for <doh@ietf.org>; Tue, 23 Oct 2018 20:19:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MLHv2SvNYTFn3aU2IkhXp6K+4olFG8qvj+gz7uEnZjA=; b=iZzM8hyJX8Xoi/IzLQ/labpM7+1p4IO3+AYntnERVknxYH7wKurJjpOnR8k1pbjA54 fC78Zm1Sf+o8mbd1aSky+0jkINXcs4Yftrg8+BEr5wKdeBGLLyTeiULDfO7DXPQULg+F 0TVVEpJMkfysNU/cD2YRMl9Ly3OgCe7Xwl4B6E3gJvCOmNuton6nKtMy9OKaIWEoG/eH f1wI9IXn8OWJeMya3u5dyfMCEVjv1AyFAfkVga0z49pPVnXTwybRSPHrki6LrrgKgQiQ 4kShUIpmieRebiehtTjxjtvqznGDKxsXKAjcVAFhfzic8l7hSZQ9Pro6KfCzJ8EbuhB6 BQ4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MLHv2SvNYTFn3aU2IkhXp6K+4olFG8qvj+gz7uEnZjA=; b=KVOoiaOtTMvXs1ClaYFkpfjxzG2BkErEDkkYE1GkYv8bvXz4ZZE8dwZZpr9B2C0fLZ vxSZdEB+RqanfTNOvNny3MQcxEzVBbV/oHWXEy4EZR3oXINKBBtAuoYb7KQqSEsbtbeI FZH/zO/+A4FTbl/gWotVFxmy7Cq/G5ak9ggW015wv/Quxlwr32GKf3VfTC7/Y5t27YWD iViys/SmFdDNqlwwEOyZwYFKB1UAZNWUR9fI/GQVpfqUWH0k5GTM9C2mNUtgiHxc3GT3 q2hLAPB4wOtCmuITFo2GsZXKUVoVA5nNg8DzjJwJDWkm7dIOvOrrLVw7PpIMbVGwLknz Y/+Q==
X-Gm-Message-State: ABuFfoh4FrfG7v5WADnYUvvOv47wNcp6Cj8eSOcqeqst84LXFnMPlAtM k4vOrGRo8CtVmQlVApc3BZ43dU8cn1iIf9hGUJNXZg==
X-Google-Smtp-Source: ACcGV60zkS5JR/FtwVqNRPetGRIhug/GradmNex2pAnGAgrFLiyXrdcagkYZOzJm7FOmvmjsdYht6zKxEN4ctsEB4iU=
X-Received: by 2002:a19:ca51:: with SMTP id h17mr4638562lfj.126.1540351151395; Tue, 23 Oct 2018 20:19:11 -0700 (PDT)
MIME-Version: 1.0
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com>
In-Reply-To: <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 23 Oct 2018 20:18:32 -0700
Message-ID: <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003569730578f0f319"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/J6o6z5xsp-NHbhua_kRI2jRxT9E>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 03:19:19 -0000
Several points here: 1. As a matter of aesthetics, I agree with Martin that domain names would be better. 2. Martin sent a link to a method for resolving TXT records on Windows. MacOS has its own API: https://developer.apple.com/documentation/dnssd/1804747-dnsservicequeryrecord?language=objc . So, this doesn't seem prohibitive to me. 3. It seems like in the use case for which this draft is specified, the whole thing is pretty opportunistic, so IP address certs wouldn't be required. 4. There are other uses cases for which it might be nice to have real domain names, in which case the IP address cert thing is a pain. For these reasons, I think a domain name in TXT or the like would be better. -Ekr On Tue, Oct 23, 2018 at 6:22 PM Martin Thomson <martin.thomson@gmail.com> wrote: > On Wed, Oct 24, 2018 at 12:12 PM Paul Hoffman <paul.hoffman@icann.org> > wrote: > > There is no way for an application like a browser to send a query > through the OS for anything other than address records. That is, > gethostbyname() and its equivalents only pass back address records. Even if > an application had its own DNS stack to make queries for other RRtypes, it > doesn't have any way to know where to send them to. > > Well, resolver-addresses.arpa./IN/A(AAA) might still be useful for > that then. That's not ideal, but I believe that there are ways to > make queries for other record types that are more available now than > perhaps there were in the past (see > > https://docs.microsoft.com/en-us/windows/desktop/api/windns/nf-windns-dnsquery_a > for example). > > >> IP-based certificates [...] impossible to deploy in many cases (think > of the many resolvers with 1918 addresses, for example). > > > > They don't make it "impossible" by a long shot. Plenty of resolvers, > even corporate resolvers, have public addresses. > > True, it is probably still possible, but it's not like you can just > use ACME to get the certificate. That's "possible" in theory, but I'm > looking for practicable. > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- [Doh] Associating a DoH server with a resolver Paul Hoffman
- Re: [Doh] Associating a DoH server with a resolver Hewitt, Rory
- Re: [Doh] Associating a DoH server with a resolver Ben Schwartz
- Re: [Doh] Associating a DoH server with a resolver Martin Thomson
- Re: [Doh] Associating a DoH server with a resolver Martin Thomson
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Associating a DoH server with a r… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Martin Thomson
- Re: [Doh] [Ext] Re: Associating a DoH server with… Eric Rescorla
- Re: [Doh] [Ext] Re: Associating a DoH server with… Adam Roach
- Re: [Doh] [Ext] Associating a DoH server with a r… Tony Finch
- Re: [Doh] [Ext] Re: Associating a DoH server with… Patrick McManus
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Adam Roach
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Eric Rescorla
- Re: [Doh] [Ext] Re: Associating a DoH server with… Paul Hoffman
- Re: [Doh] [Ext] Re: Associating a DoH server with… Christopher Wood
- Re: [Doh] [Ext] Associating a DoH server with a r… Jim Reid
- Re: [Doh] [Ext] Associating a DoH server with a r… Tony Finch
- Re: [Doh] [Ext] Associating a DoH server with a r… Paul Hoffman
- Re: [Doh] [Ext] Associating a DoH server with a r… Adam Roach
- Re: [Doh] [Ext] Re: Associating a DoH server with… Eliot Lear
- Re: [Doh] Associating a DoH server with a resolver Kenji Baheux
- Re: [Doh] Associating a DoH server with a resolver Todd Hubers
- Re: [Doh] Associating a DoH server with a resolver Ted Lemon
- Re: [Doh] [Ext] Re: Associating a DoH server with… Erik Nygren
- Re: [Doh] [Ext] Re: Associating a DoH server with… Ben Schwartz