Return-Path: X-Original-To: doh@ietfa.amsl.com Delivered-To: doh@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CBEE130F53 for ; Tue, 22 Jan 2019 04:50:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5Nuu91bkZA8 for ; Tue, 22 Jan 2019 04:50:10 -0800 (PST) Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6AF130F3E for ; Tue, 22 Jan 2019 04:50:09 -0800 (PST) Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id EA20E242109D; Tue, 22 Jan 2019 12:50:07 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Jim Reid In-Reply-To: Date: Tue, 22 Jan 2019 12:50:07 +0000 Cc: DoH Working Group Content-Transfer-Encoding: quoted-printable Message-Id: <9DD0939A-4678-4AAD-867E-1C2C36E124DD@rfc1035.com> References: <8999D6F3-600E-4F1A-903C-10F8CAA6E4F3@icann.org> <1547674141.291889.1636540384.54D5BB3E@webmail.messagingengine.com> <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org> To: "Winfield, Alister" X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh X-BeenThere: doh@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DNS Over HTTPS List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 12:50:15 -0000 On 22 Jan 2019, at 12:15, Winfield, Alister = wrote: >=20 > how about putting the information in the reverse zone for the = resolver. > ... This is delegated and could be DNSSEC signed. It won't work for RFC1918 address space. The bootstrapping problem isn=E2=80=99t solved either. Presumably = you=E2=80=99d still be relying on DHCP or something equally insecure to = get the IP addresses of the resolving servers. If a stub resolver gets configured in some other way -- editing = /etc/resolv.conf for instance -- that might as well include whatever = voodoo is needed for trusted DoH or DoT servers. And what if that reverse zone isn=E2=80=99t signed?=20 Then there are the issues when that zone isn=E2=80=99t managed by the = same entity which manages the corresponding forward zone. This is quite = common. For example, if I was a Sky customer I very much doubt I=E2=80=99d= be able to add/remove/replace one of these hypothetical RRs in whatever = Sky reverse zone happens to be =E2=80=9Chosting=E2=80=9D the IP address = of my DoH server today. And if/when I reconnect to your net and get a = different IP address, what happens to the old TXT record? > If my resolver is a.b.c.d then you could put TXT records in the = reverse.. That=E2=80=99s a Bad Idea. TXT records are already overloaded (abused?) = for all sorts of things. A discrete RRtype would be better. Assuming = this suggestion got picked up.=