[Doh] Reviewing Resolver-Associated DOH

Ben Schwartz <bemasc@google.com> Fri, 15 March 2019 13:13 UTC

Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB36E131236 for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 06:13:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oxlREO2a-wU for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 06:13:10 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB9AE131234 for <doh@ietf.org>; Fri, 15 Mar 2019 06:13:09 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id w26so2853274vsk.13 for <doh@ietf.org>; Fri, 15 Mar 2019 06:13:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=DQw1K+ldNr+hwhiOx4Wn+3ebb2dQfepZmD5PWbpmk3w=; b=u2SUFpJrIm9FCv9QiwHJd3vPrlVSE6DMoSZYsjFfd7KGZTHNYnI/E8st6WbeNR7wnq EhfToXYuT7qW1pyKGcg4XgZxKPHe27vThjq+hJQIYJjbtsuAlp+QqaZlO/UyVu0I4wpO X+/cLe5tvKlZYq5H6Zors02bIT49i5WkAojxakYJJ6hfl0/DIG7JxpCH/SSDSoS2tYcj ks4CbHZsa9WmopNcPXP3lLQwXdQHaBJwY7TeaIbrFq4PVXvMvuSIREC+AARsYK6ejx3+ WBJNUfs+Z3CnajZAf7QOCqeOJa3ili4HwyIFfrImxVMA57bDxVhnJBl9P6ejWYuFEIMq TVEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=DQw1K+ldNr+hwhiOx4Wn+3ebb2dQfepZmD5PWbpmk3w=; b=XHGy4XQUMgcD7A3eK6djQP8xh2U6jkRNtYyv9PEn+y0nWd6b3L+vBmZl1QUtzSl/4x dZ9xIXQrU/WOnfxNoTKEmo+Yqe34CkWH11IdEPKpfP9af56TlbJQ/0UfLgqZQtKtEqqi Xp/VOOJhZWPFVj8wUO+EWRMb7EU6PrEokO2ytJmeUgDBGgpIaaoOFGCiODB13Gr7YiPz 50BTTv4b+3cyOz3phIty9icpCNqnsGBKwDl28YC260/m5R8NSzP49yw7s+vixFgcipeJ U1Bv0V43w9L2cDu6PHDQ9S+feqfzDds3Tn51PzDhLXJiap7wC3njjGa4vjpxxKGqXl9L 0gig==
X-Gm-Message-State: APjAAAVayxvWsm51B+x07Bl/M/LNbmgl8RLOGBTX8KHe/SrGWfHozg0H lzWsBFD61eIlDfLSdhtt7IOl7qNUJ/Z2FqBQsWoyAkGZRe4=
X-Google-Smtp-Source: APXvYqx9I6/oN64eJDjX6ihQJC6GggogQn4NhNyhB6SGn3zIbNs/wCISjtI72SZQ48SNSlfenVlE/gaSdhK3gcmaroI=
X-Received: by 2002:a67:ee86:: with SMTP id n6mr1822766vsp.92.1552655588559; Fri, 15 Mar 2019 06:13:08 -0700 (PDT)
MIME-Version: 1.0
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 15 Mar 2019 09:12:56 -0400
Message-ID: <CAHbrMsCNyeabhk0sVexOHVedVkgG2dvV9T8wWL++om5juAUvEw@mail.gmail.com>
To: DoH WG <doh@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000d770fb058421cc8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/UXPPS7__nXuvlx8rHclcaVeWySM>
Subject: [Doh] Reviewing Resolver-Associated DOH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 13:13:12 -0000

I'd like to thank the working group participants for the extensive
discussion of our most recent drafts.  However, I would appreciate more
review of the Resolver-Associated DOH draft, which has the largest time
segment allocated for the upcoming meeting.  This draft contains several
components that have been controversial in the past:

1. IP-address certificates
2. A new .well-known endpoint
3. JSON
4. Recursive resolvers synthesizing responses as if they were authoritative
for certain names
5. Machine-readable content in a TXT record

Also, the draft does not enable the use of DoH if (1) an application relies
on POSIX-like DNS APIs to bootstrap AND (2) the resolver is only reachable
on a non-public IP address (e.g. RFC 1918).  This is a side effect of the
requirement that the DoH server provide a valid certificate for its name,
chained to a root that is already trusted by the client.  This draft does
not alter that requirement.

If any of these technical elements are of concern to you, please comment
now, so that the meeting can be as productive as possible.

--Ben