[Doh] DNSSEC, DOH, and DNS headers

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 19 March 2018 14:40 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0650A12741D for <doh@ietfa.amsl.com>; Mon, 19 Mar 2018 07:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=L/W+5L6t; dkim=pass (1024-bit key) header.d=yitter.info header.b=mwG9wqnd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_1XT1ZNk2ud for <doh@ietfa.amsl.com>; Mon, 19 Mar 2018 07:40:05 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1AEF1241F3 for <doh@ietf.org>; Mon, 19 Mar 2018 07:40:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 1161BBE780 for <doh@ietf.org>; Mon, 19 Mar 2018 14:39:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1521470375; bh=Y/nlS8LFgrve819BQ7HIUnvon4OOQpXy3N8w0jPLagk=; h=Date:From:To:Subject:From; b=L/W+5L6t0IWnePoEA5OyKP665JSV9b0rcbm5xIi6UhY7RWXYkPwHxXOO0BsNf1D/U X8H6cwUZIUNs63wDLhP/NYovT7CG2VnwwlAavFz+XTXPEX/e9eyLIKGAt+jMcSCADs +Jld1oLiv7tcyqOsQFkWyIj/GcF0gkEYX/uWMako=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tpO1RmS90owY for <doh@ietf.org>; Mon, 19 Mar 2018 14:39:33 +0000 (UTC)
Date: Mon, 19 Mar 2018 10:39:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1521470373; bh=Y/nlS8LFgrve819BQ7HIUnvon4OOQpXy3N8w0jPLagk=; h=Date:From:To:Subject:From; b=mwG9wqndHDtA+dgfMCUeMGEt/rkJe8D76GrWManoLnRQ40XErW93VoY2vREI+cGWY vQs0a/Xs1QZ5XK2QAaJJpu0GO/3z9Z8RmAj6+2OLi24nPZnTUzPN5HzZSxTU8LcEic 8CjbIhL6uxZyNhgqbG9uOZl8NL8PT+9NXiPUqafQ=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: doh@ietf.org
Message-ID: <20180319143929.tgndmrvdggewpcqv@mx4.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Mgvp-WUOK-dKutzp5zy7K2bg5EI>
Subject: [Doh] DNSSEC, DOH, and DNS headers
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 14:40:07 -0000

Hi,

Section 6 of -03 says this:

   Different response media types will provide more or less information
   from a DNS response.  For example, one response type might include
   the information from the DNS header bytes while another might omit
   it.

But section 9 says

	 A DNS API client may also perform full
   DNSSEC validation of answers received from a DNS API server or it may
   choose to trust answers from a particular DNS API server, much as a
   DNS client might choose to trust answers from its recursive DNS
   resolver.

It seems to me that these are in tension with one another, because the
AD and CD bits are in the header that the response type is permitted
to throw away.  Maybe it could be resolved thus:

NEW

	 A DNS API client may also perform full
   DNSSEC validation of answers received from a DNS API server or it may
   choose to trust answers from a particular DNS API server, much as a
   DNS client might choose to trust answers from its recursive DNS
   resolver.  This capability might be affected by the response media
   type a DNS API server supports.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com