Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

Jim Reid <jim@rfc1035.com> Tue, 22 January 2019 12:50 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CBEE130F53 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 04:50:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5Nuu91bkZA8 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 04:50:10 -0800 (PST)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6AF130F3E for <doh@ietf.org>; Tue, 22 Jan 2019 04:50:09 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id EA20E242109D; Tue, 22 Jan 2019 12:50:07 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <E01E2A24-DEEB-47AF-9A4E-84C697AB596B@sky.uk>
Date: Tue, 22 Jan 2019 12:50:07 +0000
Cc: DoH Working Group <doh@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9DD0939A-4678-4AAD-867E-1C2C36E124DD@rfc1035.com>
References: <8999D6F3-600E-4F1A-903C-10F8CAA6E4F3@icann.org> <1547674141.291889.1636540384.54D5BB3E@webmail.messagingengine.com> <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org> <FDE64B61-4CD2-4076-8075-909DB6AC1B49@sinodun.com> <E01E2A24-DEEB-47AF-9A4E-84C697AB596B@sky.uk>
To: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/K3O2tr32n7Lpk57JYRfEsufee3w>
Subject: Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2019 12:50:15 -0000

On 22 Jan 2019, at 12:15, Winfield, Alister <Alister.Winfield=40sky.uk@dmarc.ietf.org> wrote:
> 
> how about putting the information in the reverse zone for the resolver.
>  ... This is delegated and could be DNSSEC signed.

It won't work for RFC1918 address space.

The bootstrapping problem isn’t solved either. Presumably you’d still be relying on DHCP or something equally insecure to get the IP addresses of the resolving servers.

If a stub resolver gets configured in some other way -- editing /etc/resolv.conf for instance -- that might as well include whatever voodoo is needed for trusted DoH or DoT servers.

And what if that reverse zone isn’t signed? 

Then there are the issues when that zone isn’t managed by the same entity which manages the corresponding forward zone. This is quite common. For example, if I was a Sky customer I very much doubt I’d be able to add/remove/replace one of these hypothetical RRs in whatever Sky reverse zone happens to be “hosting” the IP address of my DoH server today. And if/when I reconnect to your net and get a different IP address, what happens to the old TXT record?

> If my resolver is a.b.c.d then you could put TXT records in the reverse..

That’s a Bad Idea. TXT records are already overloaded (abused?) for all sorts of things. A discrete RRtype would be better. Assuming this suggestion got picked up.