Re: [Doh] Seeking input on draft-03
Ben Schwartz <bemasc@google.com> Thu, 08 February 2018 18:21 UTC
Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC23127023 for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 10:21:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CX6BAUnmTVBi for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 10:21:25 -0800 (PST)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474661242F7 for <doh@ietf.org>; Thu, 8 Feb 2018 10:21:25 -0800 (PST)
Received: by mail-io0-x235.google.com with SMTP id b198so6775765iof.6 for <doh@ietf.org>; Thu, 08 Feb 2018 10:21:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=47m7NuTBq4vRa8bd6nXaqQyzmMnBVWQTWe5nA4nulPA=; b=N0xTUsKwcHRO5IoIGiJZNJ21Hhx+n3yI2Rg8NE7OXQBDuTjlx+gHRpJDCBtglmjEoY ZX5+ztehcN4X7q9/4ypN8RCxYDeW6br6n5T3IWXA8/lMTvbbVmSJm9JQWA7A9IevXUk/ vYEZ56Nm7/bdhTA81tcKxAsbUich6tiuGjGs7982Jb1LJ6114L7h4GFu/nBA8JhnUDke nCdt7oDdtQXMi+YXSmOOH2GyHnz8xZdMsI9DWwE1yPsldmcvHZN8/RKVyYExu8CCirM9 VA9EfNNOArv+sYHCk/2YxLvCsIJNlJjnqXkxNduovZZvM+qSt9H2K7lF4p/axoLTY7FL LsoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=47m7NuTBq4vRa8bd6nXaqQyzmMnBVWQTWe5nA4nulPA=; b=d24pwZuioucbyinM0CXlTa2EQc5zw6cY3N5miRGud38rG1dJbyXdYaSiL1Ni+swqM1 CQIg1TT4nYHbyh+Bo2LR/pfuemEUgfDJx2rOvlYahkuSlgqUKp/FKI8JLSpdKPcPsJp2 WazkPpDhy/5YJmnidONKk/xafEz/j9HhjXkwqRQC2sDfvwIPRdMFCpJbqG8eoKNzaEox YuFfAdn8mvKxPEuItNCM05xy1VdSh0cxNndISMkTNSwKmfGhvlOuVynlUvFhiL5JybEV RpbV7uF+WVJDiIH4uZxPKG4XikuZi5J3jcmkoN6xtUgPkY9i3I9HPA6pV/u3F5BeKbVP KpBA==
X-Gm-Message-State: APf1xPBeuwfrCFk8GxMEBBp6kr4DNxHbKaXtgKDUz60RXJ8zXo4v9N+u edbQnfB2F5Akn6irowfD8ZE5tI8F6NO6GFSWFW/paWlyQ+I=
X-Google-Smtp-Source: AH8x2271CRtaHZz2EqW5wVbeJf2co54WjdEHxGL+vjKpVFI8nQJ90d8g6lY5dhwdetqCMV+ozs+oyTOKOtnkX7SC6MA=
X-Received: by 10.107.59.66 with SMTP id i63mr54912ioa.220.1518114084195; Thu, 08 Feb 2018 10:21:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.164.160 with HTTP; Thu, 8 Feb 2018 10:21:23 -0800 (PST)
In-Reply-To: <MWHPR08MB2432FFCE097EBBB1279EAC2EDAF30@MWHPR08MB2432.namprd08.prod.outlook.com>
References: <CAHbrMsDwWvtcZy8fpg9gs3o+gc_umi9okJW6rvv+s4T7K9-sVQ@mail.gmail.com> <MWHPR08MB2432FFCE097EBBB1279EAC2EDAF30@MWHPR08MB2432.namprd08.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 08 Feb 2018 13:21:23 -0500
Message-ID: <CAHbrMsCD4-Syy4+5PhC_c0K5TLR25gMUO5cxJUT3gC8=uT4GpA@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: "doh@ietf.org" <doh@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c068686c1a71e0564b77a74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/PC2hjXh8g1KAK4luc2jm1dtV31A>
Subject: Re: [Doh] Seeking input on draft-03
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 18:21:27 -0000
On Thu, Feb 8, 2018 at 1:11 PM, Mike Bishop <mbishop@evequefou.be> wrote: > I’m inclined to think this is a positive change. We’re trying to do > something better than the current world of “trust the local DNS server > because unauthenticated DHCP says so”, and promiscuous trust just because a > server claims it support DOH via a .well-known endpoint isn’t really any > better. > To be clear, the draft never proposed promiscuous trust, which would indeed be highly problematic. However, draft-03 does include additional language clarifying this point. > The client should know the hostname(s) of the DOH server(s) it wants to use > In draft-03, "knowing the hostname" is not sufficient, because there is no default path for DOH. This is the change on which I am seeking input. > , and it should authenticate the DOH server against that hostname. > Yes, definitely. (I believe the draft is clear on this point, but feel free to suggest improvements.) > If a server hosts content and also wants to also serve DOH, there are > ways to present a hostname that covers both names (or present two > certificates) on an HTTP connection. > > > > *From:* Doh [mailto:doh-bounces@ietf.org] *On Behalf Of *Ben Schwartz > *Sent:* Thursday, February 8, 2018 10:05 AM > *To:* doh@ietf.org > *Subject:* [Doh] Seeking input on draft-03 > > > > Hi all, > > > > The authors of draft-ietf-doh-dns-over-https have been making good > progress, and a draft-03 is now ready with several changes and > clarifications. > > > > One important difference is that draft-03 no longer proposes a > ".well-known" entry. In draft-02 and prior, clients could check for the > presence of a DOH service at the default path, given only the domain name > of a server. In draft-03, there is no default path, so clients must be > configured with the full URL of the DOH endpoint. > > > > Is this change compatible with your use cases? Would this alter the way > users interact with your systems? How do you think DOH client > configuration should work? > > > > Please respond with your thoughts, > > Ben Schwartz >
- [Doh] Seeking input on draft-03 Ben Schwartz
- Re: [Doh] Seeking input on draft-03 Mike Bishop
- Re: [Doh] [Ext] Seeking input on draft-03 Paul Hoffman
- Re: [Doh] Seeking input on draft-03 Ben Schwartz
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Erik Kline
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 manu tman
- Re: [Doh] Seeking input on draft-03 Hewitt, Rory
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Stephen Farrell
- Re: [Doh] Seeking input on draft-03 Patrick McManus
- Re: [Doh] Seeking input on draft-03 manu tman
- Re: [Doh] Seeking input on draft-03 Justin Henck
- Re: [Doh] Seeking input on draft-03 Stephen Farrell
- Re: [Doh] Seeking input on draft-03 Justin Henck