IETF Logo Mail Archive

Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

tirumal reddy <kondtir@gmail.com> Tue, 26 March 2019 08:47 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6051A1202CA for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 01:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7llzjeXt9kp for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 01:47:34 -0700 (PDT)
Received: from mail-it1-x129.google.com (mail-it1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4391202C1 for <doh@ietf.org>; Tue, 26 Mar 2019 01:47:34 -0700 (PDT)
Received: by mail-it1-x129.google.com with SMTP id m18so18575313ita.3 for <doh@ietf.org>; Tue, 26 Mar 2019 01:47:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sqaZeUoN1BoQokJcr0MdE2LVwTHxzG0AMpOkuzFsSlM=; b=gbXY5Wn6u2+5cU0YA5nI0/lhrQF5GsMhSEWFCeO45rGoqlZTB34RT6WhjP2mz4lKnr V94Dy/qDO2cAgcskcVXqXK5G9xsZHNbVvgiamROcEXmdNHYzkDF2M9y2L49gzJsaiQg4 zsUi96ak+RRHrdfopWjEH22fzxTQJUflUu2m5KFxhs8VSDLeQhBPzaBR4/2Hbt/GOyz5 icug0AMbYaMZz/v1ExLS9bCJpvH4XREaKdCeogAxpvo4A5W3HhxpVpMg/6pu3kKXV47U YC4eNa16gXdEzji7dn3Fb4MUnykvp7azeft7TqjHOxFj/DLiNIeEC1SN82w1St0grI6T lmyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sqaZeUoN1BoQokJcr0MdE2LVwTHxzG0AMpOkuzFsSlM=; b=PtRMKY7fK2/NX8+YFU27A7BMDCJkzIUkRrmPM9uSVeKQ/GgqHZGRwJyYUkE5Y+BsHQ 9uQpzq4Gh10I/rLzTSjxTBEEMhwdg8o/1TrhmJ/b8sNi0vOxvREv3XF/1sZJV040Wqmd wRKr58pfSQ8tzOandhY3RrG5ZOHvbwsNGDtTH4m8IXg4cGVs/ej0+SCWvo9AzE54qOUJ /bjWpU7VBmv+loJcyE3n+9Bi76pCniG6AsG7p2Z8QV6BvlzLAYbNL3JfsqkhEJiCkdfK VVestClYQ2jNvGY5uZVwZ+ZZkTbXFEUWA/3a0bX85q2bZcWAVxkZ05XnaJZdHGQgF+LC cOBQ==
X-Gm-Message-State: APjAAAWFqIeitAkhRixVC/Ci3QWqHwXZiT4Jawq7jIw5GfMNrFLh9EGT tBNZTUvq0IwKVhEwqCSIWWrvhEeUzswYjd89rbc=
X-Google-Smtp-Source: APXvYqydrrpLluWhP8Jx2UNm/rKtkmBD8R3oWl96NjPgXGQz5GvhuobhwCfF4LEaBGSbQGXOMFhlIQuZv4OEiXHmJKw=
X-Received: by 2002:a24:6a8b:: with SMTP id l133mr7976190itc.92.1553590053910; Tue, 26 Mar 2019 01:47:33 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net>
In-Reply-To: <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 26 Mar 2019 09:47:23 +0100
Message-ID: <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com>
To: nusenu <nusenu-lists@riseup.net>
Cc: doh@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004a3d340584fb5f42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/RAnWvk6eCGl2WYt3yj9i40j3rlA>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 08:47:45 -0000

On Mon, 25 Mar 2019 at 20:27, nusenu <nusenu-lists@riseup.net> wrote:

>
>
> Paul Hoffman wrote:
> > Would this document be better off with all three methods being
> > equally unauthenticated? Doing so would remove the "but you can't get
> > IP address certificates!" argument that keeps coming up (even though
> > that is overstated). Doing so would simplify the security
> > considerations by making all three protocols have the same obvious
> > weakness.
> >
> > An alternative is to have two URI, one with https: and one with
> > http:, and explain that trying the first might be a good idea but to
> > fall back to the second if authentication fails.
> >
> > Thoughts?
>
>
> Since implementations might choose to implement only
> the authenticated discovery portion using authenticated https
> I'd suggest to keep https in.
>

Agreed, and with our proposal in
https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02, the
query for URI templates can use FQDN instead of
IP address, and the HTTPS server certificate can be validated by the DoH
client.

-Tiru


>
>
> --
> https://twitter.com/nusenu_
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>

v2.23.0 | Report a Bug | By Email