Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

Erik Nygren <> Tue, 26 March 2019 22:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CC1731200FA for <>; Tue, 26 Mar 2019 15:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VljnxSxXrlzs for <>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1A5031200F8 for <>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
Received: by with SMTP id z6so3447975wmi.0 for <>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ojHqcbaHfbwuNOnhIDW2feSB+0oBGyCxWPTrZIBPyiw=; b=lt4v7YSATuoCSavQtWEMMp10n7paaqsInVWC5kMs2/u3LZHqj4WvcK0eS3S/WzrruG bqgwAS5IhdGoed1fvxv6845kdLNoi8GcA9pQF6ZRtOZLgzmQHN4GhqT/bJlfi/aseenN h4kA5FHh7KtX98Ukc5KNIY8ZZPTxDPUqQ3IGEz2QEwJ2OB7AUdr2llFTAFMmKWCDDdu4 q5BlCptl54K2ax51Uc44PMvNGFtlYiyPCZvxQQH4tRrC2TYPYfFbjNzOR8KPUQeFCnyA HSE/szxt1KMSlESLzlJB+pp3YznP8pgwsZe3gxf8lBP7hla+EnABe8zfV+u7cR3XozAG 7pJQ==
X-Gm-Message-State: APjAAAWWk7Br6EXy7+vlyFQ7eYZ5KMEy1nJV2xZHBe+HAepS8ZKUpUqX DMX5YOBCD/UCup0Kpatd1nv87InfmSBGE7oNC9o=
X-Google-Smtp-Source: APXvYqzrkvpHUIYjneqoIFV2HnetINDSU56JMVo8Agk47cqkMKM2i7jgK8zstzfwhKQ3FPUCk6v3XwpsAUnzrQfJSXQ=
X-Received: by 2002:a1c:98c9:: with SMTP id a192mr11455221wme.44.1553640398158; Tue, 26 Mar 2019 15:46:38 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Erik Nygren <>
Date: Tue, 26 Mar 2019 18:46:26 -0400
Message-ID: <>
To: Patrick McManus <>
Cc: tirumal reddy <>, nusenu <>, DoH WG <>
Content-Type: multipart/alternative; boundary="0000000000000a838605850718fd"
Archived-At: <>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Mar 2019 22:46:42 -0000

On Tue, Mar 26, 2019 at 6:26 AM Patrick McManus <>

> right. The weakness here is that validating a name that probably comes
> from an unauthenticated source is not a very strong signal. That seems
> inherent in the draft, but maybe worth calling out more explicitly.

Right.  It typically comes from unauthenticated DHCP or RDNSS.

One thought I've pondered is whether there is a way to apply policy to the
hostname in the DoH template URL, as that is an authenticated hostname.
For example, clients could validate against a blacklist of known-bad DoH
server hostnames/domains.  This may not scale well enough to be viable.
But we are inherently getting unauthenticated data from an unauthenticated
source.  But that unauthenticated data is something which is possible to
authenticate and possibly authorize based on the hostname.

A similar model is done in Provisioning Domains where unauthenticated PvDs
come from the network and are used to construct well-known URLs:

How to make this practical is where I get stuck.  :-)