Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)

Mark Nottingham <mnot@mnot.net> Tue, 29 May 2018 01:35 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86F0012E8A9 for <doh@ietfa.amsl.com>; Mon, 28 May 2018 18:35:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=m+bv5BJD; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=hn0JwAo+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcE2v0bB9JdE for <doh@ietfa.amsl.com>; Mon, 28 May 2018 18:35:21 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6502412DB71 for <doh@ietf.org>; Mon, 28 May 2018 18:35:21 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id D3D7521CB8; Mon, 28 May 2018 21:35:20 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 28 May 2018 21:35:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=Lzo9bAwq1hI2y00fRQ6lCSQ6lp4bU ZAwltA2iRBHUVc=; b=m+bv5BJD9iq72us53qTrl8hWjFIZIWayKpxyeNXpFbFTj LdKh3J55q6A26JDpkRvloYcyrJPLKu3cjACHtisPaaHn3XKM0aAal9ltsH3CktCi o6Ys+O+ZkeG98k9HLD7JoahGpCDaHQxNKdsJsKRG6DwYVc62kEnDVmBVIJOmIu1M W/QshXCfw19+0hUquTy6SkflPEXtpU4sLS+AVekxjSbesuVwaHymfm2Syq8gMJx6 vWaZq+I7ghGZYuVM+5yOljdq20b7+xqhBCBZRl5ZAUzpd8Am3xAhy3qMTjTCnvXF +Z2ZH0Eg9ZaRPBsXBcgH5nFoP2KmU3oMOqiVD5LUw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Lzo9bA wq1hI2y00fRQ6lCSQ6lp4bUZAwltA2iRBHUVc=; b=hn0JwAo+euF0W44tyjx2sF GiQ+Fgrh/xwLM/INescNTA35ruUlAsYwqh/T22DdQYDTTstHcaC4a5PbcbKDmoFw 5VQ1L+RqxRMQOoZWEyN2kKayt+rOQnWphJVnRycXf481bR6wcKex0aJKtAjBiBoP jPT/1rGtm8eGi7e4gQyODPNcte34qWPIyIy/BZCerfDThzj7/hGAmJZqaDBeQ1TW JAlBBp/gtd06eCcqxazC0SMSnZmmEDNc2mo6g4FGihtk7C/c3WBysf1wOxKBzdIT Z6xbNIZ9Yhr4BacIcnrbxtaq6UZyuTOrKdGvrC77x0zhNM5s6+ssmeknmdWyRJyg ==
X-ME-Proxy: <xmx:WK4MW5ouyt_B6LizHeOJEm5e7mHXotKzNbVBmlopzj5nku8QZWu5PA>
X-ME-Proxy: <xmx:WK4MWzSPxuQWPQ3ORWGCyGAccfpx4Du6_1HwlV17fzijFq6XOE2z8g>
X-ME-Proxy: <xmx:WK4MWz2sjHeMMk7b_PDkhW3kgo4hbtJsXRqLw1B8d0sarkWNHCoBOw>
X-ME-Proxy: <xmx:WK4MW_DhbIshU6gW4dC0ZA9avZVn4_4ralLikRFQkKq6UjreE_3NMg>
X-ME-Proxy: <xmx:WK4MW_jwgg4lOTd2thPfdtSI1QjHnr9yNPnkwCmzp-OadfCrzD71lQ>
X-ME-Proxy: <xmx:WK4MWwEr17ekdeJZqgDAgxb4WaZ1QwbKryMc7pXAFpLdSve5fFyM0Q>
X-ME-Sender: <xms:WK4MWzB9Sy9AAFKqYc51scxC8mqmRWTWwr4IzIPbaVayuScj6sgKFQ>
Received: from attitudadjuster.localdomain (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id 3B45CE4117; Mon, 28 May 2018 21:35:18 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAOdDvNrPU9WM3WgcX1AVF39D3bGdxCKgPAF_afhfv2Qt0pZR5g@mail.gmail.com>
Date: Tue, 29 May 2018 11:35:14 +1000
Cc: Martin Thomson <martin.thomson@gmail.com>, DoH WG <doh@ietf.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DEED4EBF-5782-4C8E-A9D5-543429EB4E32@mnot.net>
References: <CAHbrMsCxkogJ-fzubf7cPgvbeGAhWUFKV3crrmn4ee6=fDnqwQ@mail.gmail.com> <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com> <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com> <1daad94d-99c1-803a-f52c-1dd17adefb7a@o2.pl> <CAOdDvNrpLwF5jpn1YA4-HXsfGxVkdds+xHVd6Bxy0Ux+3nrcrA@mail.gmail.com> <CA9BEE64-9F16-4CCC-A1E0-4C7FD45C455C@icann.org> <20180528161043.GB12038@mx4.yitter.info> <CABkgnnV3kKFCzKLfPf_0WZh95jr2vEt652Rb4EozfqROCVsJdA@mail.gmail.com> <CAOdDvNrPU9WM3WgcX1AVF39D3bGdxCKgPAF_afhfv2Qt0pZR5g@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/JhFJTIMmYA2IxbQJdJzbTviiKFk>
Subject: Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 01:35:27 -0000

On 29 May 2018, at 11:30 am, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> "A DNS API client uses configuration to select the URI, and thus the DNS API server, used for resolution. [RFC2818] defines how HTTPS verifies the server's identity.
> 
> A client MUST NOT use a different URI simply because it was discovered outside of configuration. Specifically, this specification does not extend DNS resolution privileges to URIs that are not recognized by the DNS API client as configured URIs. A future specification may support this case."

I was thinking along the same lines, so +1 (although we could have a conversation about whether a MUST NOT is appropriate here...).


--
Mark Nottingham   https://www.mnot.net/