Re: [Doh] Seeking input on draft-03

Mike Bishop <mbishop@evequefou.be> Thu, 08 February 2018 18:11 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499D51270AC for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 10:11:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5h92IV_44Mw for <doh@ietfa.amsl.com>; Thu, 8 Feb 2018 10:11:10 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0101.outbound.protection.outlook.com [104.47.32.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8702412706D for <doh@ietf.org>; Thu, 8 Feb 2018 10:11:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8AaF7xXUlqE04cXZPYQnEyKBoi4Bn+/4OnByS4SkrDY=; b=kckH4GFLIPYZwYZOsSmOw5fPLcRItWauYouJLNG0M8863Dhw5hgJYs14wZooSzozuDLL6kk6BA2wToHwnizQcyBLWxqOQTf0yJ4LmxSAmVmDxRzj3URifL4UdVYRIvV7uu/WqA2ApZkHbzTlLcXCMHlByDYVqpwNp3YMKiYEpJM=
Received: from MWHPR08MB2432.namprd08.prod.outlook.com (10.169.203.136) by MWHPR08MB2574.namprd08.prod.outlook.com (10.173.230.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.11; Thu, 8 Feb 2018 18:11:06 +0000
Received: from MWHPR08MB2432.namprd08.prod.outlook.com ([fe80::5410:deca:3ee5:983f]) by MWHPR08MB2432.namprd08.prod.outlook.com ([fe80::5410:deca:3ee5:983f%16]) with mapi id 15.20.0485.009; Thu, 8 Feb 2018 18:11:06 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Ben Schwartz <bemasc@google.com>, "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] Seeking input on draft-03
Thread-Index: AQHToQdoE8grvM7S4U+nhExCLxbMRaOazTSg
Date: Thu, 8 Feb 2018 18:11:05 +0000
Message-ID: <MWHPR08MB2432FFCE097EBBB1279EAC2EDAF30@MWHPR08MB2432.namprd08.prod.outlook.com>
References: <CAHbrMsDwWvtcZy8fpg9gs3o+gc_umi9okJW6rvv+s4T7K9-sVQ@mail.gmail.com>
In-Reply-To: <CAHbrMsDwWvtcZy8fpg9gs3o+gc_umi9okJW6rvv+s4T7K9-sVQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [38.134.241.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR08MB2574; 6:x3ZsFxQE2atvUo4bymlL3ID1+IUsbHoajeEpmDBkkntKQfxBoUqdHQpRq0pUTbbfq1OFo/pxcWfKukRIwQIGRKs2olHwIVNGYY5TCl0G/BScQkzZQhMdtEwxZpiuI6iAw5sB2Dn6uvZhQr2GuxqpNa5nTYnkJDFx1rNIO8cT41nZdnwFQ9h2p3iwdXq81EWNjSH2ae2zASTqcVBML//+8MTUx6sOFtsbZsE6sh3KTgjfVi+4WIxMTXCXKSJVjZGKhIupjMx2oSZm/GUiR4S8JefdP3EqMtpCVQnnmZboSZw1TT7tG8VFRt+9sXE7bXAfKYDJ8RdkfJQRaFiOoSNRjgPQGru8rfGz6j6cYfxgWyPbQor8fttlDAQcwWOtAbke; 5:DSm6Zs0WftnR9xhKMYs9Z6Ohc4DoNER7aGYKnExz/3eVZbNlF+4kc/dJhCZTgcc6sVlh9J44fnwMt7Of0TZNeLD8VYtikXKG+AP/Gt+zrig37pUODZj4I/3RpaaCTADSflrDCn6rMPINP18lQSPuOGbAqvNCdnn53uSRHrZ45BE=; 24:H3uscp+fS8c9oXcFP486YZx3Aiczjo21HhEiuKkwCXlRe7cmvJr9TboC0zwJrQu/e4QCr4D5F8DWdVdWCgIwoYhphaldl1PtEcDf5KPUUQ4=; 7:1OZqUiKQcLNaUruZqXHIkvgBGy1m5Kac1sM5UlthsYzh/L4nFGng5digOhYFz2LP9lEjgkcsjeC2stb87ILGIfFRqrgOPvIx6oGcSCC3PwPvA8PhpTJ2j73u5uTtQcU7PB2JWE85zd/dCMu0RxeqypVNnslaGllWg+EfcqZ0JujSh0z/XUmjoA9xX3pQetIbIYQvt5dauhP9sbmOOQaAC1ol40x+Pdt7oTU9wslnhX/lJMKEvjHGDN6MICB6sJ39
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: df1e4b63-2784-4bb1-b066-08d56f1f5281
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:MWHPR08MB2574;
x-ms-traffictypediagnostic: MWHPR08MB2574:
x-microsoft-antispam-prvs: <MWHPR08MB257435BEB4FCEB15B8248B96DAF30@MWHPR08MB2574.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(35073007944872)(150554046322364)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(3231101)(2400082)(944501161)(10201501046)(6041288)(20161123562045)(2016111802025)(20161123558120)(20161123564045)(20161123560045)(6072148)(6043046)(201708071742011); SRVR:MWHPR08MB2574; BCL:0; PCL:0; RULEID:; SRVR:MWHPR08MB2574;
x-forefront-prvs: 0577AD41D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(346002)(39380400002)(39830400003)(366004)(189003)(199004)(53754006)(68736007)(5660300001)(53936002)(8676002)(81166006)(81156014)(186003)(2501003)(8936002)(9686003)(53546011)(2950100002)(6246003)(86362001)(5250100002)(102836004)(105586002)(3280700002)(2900100001)(55016002)(6306002)(25786009)(54896002)(229853002)(106356001)(7696005)(478600001)(74482002)(76176011)(14454004)(59450400001)(33656002)(6436002)(3660700001)(99286004)(2906002)(6506007)(790700001)(26005)(97736004)(3846002)(7736002)(74316002)(66066001)(316002)(110136005)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR08MB2574; H:MWHPR08MB2432.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-antispam-message-info: MM0w2eTptDWjyeoJMRE6gjqADv21fIUOXI0DN42r88gypNH2AW3pXCTlonJCgKjkJukqSvrrzlhXsZNjU2K5AA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB2432FFCE097EBBB1279EAC2EDAF30MWHPR08MB2432namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: df1e4b63-2784-4bb1-b066-08d56f1f5281
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2018 18:11:05.8412 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR08MB2574
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Sc6V6Kbz7hwfuveVZ_ZSgGoTds4>
Subject: Re: [Doh] Seeking input on draft-03
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 18:11:13 -0000

I’m inclined to think this is a positive change.  We’re trying to do something better than the current world of “trust the local DNS server because unauthenticated DHCP says so”, and promiscuous trust just because a server claims it support DOH via a .well-known endpoint isn’t really any better.  The client should know the hostname(s) of the DOH server(s) it wants to use, and it should authenticate the DOH server against that hostname.  If a server hosts content and also wants to also serve DOH, there are ways to present a hostname that covers both names (or present two certificates) on an HTTP connection.

From: Doh [mailto:doh-bounces@ietf.org] On Behalf Of Ben Schwartz
Sent: Thursday, February 8, 2018 10:05 AM
To: doh@ietf.org
Subject: [Doh] Seeking input on draft-03

Hi all,

The authors of draft-ietf-doh-dns-over-https have been making good progress, and a draft-03 is now ready with several changes and clarifications.

One important difference is that draft-03 no longer proposes a ".well-known" entry.  In draft-02 and prior, clients could check for the presence of a DOH service at the default path, given only the domain name of a server.  In draft-03, there is no default path, so clients must be configured with the full URL of the DOH endpoint.

Is this change compatible with your use cases?  Would this alter the way users interact with your systems?  How do you think DOH client configuration should work?

Please respond with your thoughts,
Ben Schwartz