Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)

Ted Lemon <mellon@fugue.com> Thu, 14 June 2018 19:57 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7591130E70 for <doh@ietfa.amsl.com>; Thu, 14 Jun 2018 12:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1D_oW8NVknt for <doh@ietfa.amsl.com>; Thu, 14 Jun 2018 12:56:59 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0762126CB6 for <doh@ietf.org>; Thu, 14 Jun 2018 12:56:58 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id d22-v6so8409195iof.13 for <doh@ietf.org>; Thu, 14 Jun 2018 12:56:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oeDIzuNiK3bwf9CgiOocD7uhGbOEMfaiHGjpcsU5QL4=; b=vpArEySj2d+v3JXFCEoqQpFtHOzBMJukiu38yeywR0bQCqxsedrQy+rs4q+L+UHQzp xK3lE0dnFgnJf5LiZM6w7PLgGciO/HiqSnV63mWbj8gPNItBMssXOQdronH2q9fjTGNJ awWGhGKW44tuZmhgklr+2kgfCIwG/R6hQ9VwheDOFJVG41XlBuBEuFEnwSR6OqPOMVgT KPpeKhVqWRwaapMioHtMvyt3LujbrESuoRLcwOEa+Zk9qs3tQND4WD+HvtkNTBeVybIx GnkmpcySwLtY4uXa4mWFG9kc9jYkG3Bsy6F6aM1Z5mm8FsQ1ODQO9u5hLoKJAUNQ7Vnw dFlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oeDIzuNiK3bwf9CgiOocD7uhGbOEMfaiHGjpcsU5QL4=; b=TzD6NfuRUwLHaN3TS+AfXLVtXFPjd01nOsNPeG0C7iI8B3jEXlI12m7bCbOEklNO4C ElRdMjU58yjgMoR78YAtTGL9MV8EXn0p+KzB/In5RDmnf/Tx0nTd8zLV21x+C9qS3KsF 63s8mnQUtnZnD+1BZokFLGpjG15MtYGjQXeYgnAHjpflfs0Zxh8jTOqM+nWtvhxAY3Sp 4B7jBbWLtPsZmM9laRjLSbF7rBiPR/QTYNnteNkv3mqwchQHPY9BX7M5eUl6U9sM3byw 00EZUw7hEwTRWnYr577oFQiRkqWbR0eR2HZzJpIiyusWD3zpTjB0Ht8tvmglnTYh0ae8 SVSA==
X-Gm-Message-State: APt69E0XVXlczTQuiWGhJDlReZAbcYDOpgJJ+o+W0tXtzTD8LyrRKGOK Xq2rza8Og80LtYILEQvf/rVVhBwRXQvztBffua9sog==
X-Google-Smtp-Source: ADUXVKJ6Xitboc2bytcxhC+4ZKElT9lCVZ7DicCbsFdC1m2mO8pfXtTtB5LiLm2NzgpLtlNvXiJB37Pjyx+2IUB1v/Q=
X-Received: by 2002:a6b:be05:: with SMTP id o5-v6mr1456365iof.45.1529006218064; Thu, 14 Jun 2018 12:56:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:6f86:0:0:0:0:0 with HTTP; Thu, 14 Jun 2018 12:56:17 -0700 (PDT)
In-Reply-To: <B9AD3F85-D30E-4F89-8EF9-5BC0CD843869@icann.org>
References: <1E183D79-5716-47E5-8604-A4F5DC7588C2@icann.org> <045241e6-6d9f-162c-6ae3-0b10d59d21de@bellis.me.uk> <6BB0D47F-2BA3-4D9A-A125-1D1E180B06E0@icann.org> <53c320bc-6ea0-21f4-c7a1-1da34bbdb38d@nic.cz> <CAHbrMsBoKE-pfz97ZDb9ReLKMedk2KJ7xLCw_MPmxVtqF7PcuA@mail.gmail.com> <20180613192030.GA2792@jurassic> <CAHbrMsACdaz13v=2jbpZq1RU-_CP36Cgz13iFFWVj8qrjQ0b=g@mail.gmail.com> <20180613205637.GA23215@jurassic> <CAOdDvNr0ob_zhMw1BT_h8n77ecx5vht8WJ7OiwwDPrj0Wxf8SA@mail.gmail.com> <20180614042217.GA25915@jurassic> <20180614044113.GA27115@jurassic> <alpine.DEB.2.20.1806140728270.30130@tvnag.unkk.fr> <74D48781-9F05-482C-ACB2-7AB027611489@sinodun.com> <40ac87db-dfdb-5305-338d-ff3afb8e159d@o2.pl> <F6CEE7B0-E0BF-4EF7-9BDD-4DA7B539A511@icann.org> <CAPt1N1kBEv-ACPiWKckMGrQFu=F=pTD-D6oByzktmQe76AZYZg@mail.gmail.com> <602C852F-D988-4D3C-A959-E7A6EAE6AC3E@icann.org> <CAPt1N1=uCAGJ26KjVj0LA70-p91fWQD-jj+8c+t=M20tuSp_Nw@mail.gmail.com> <B9AD3F85-D30E-4F89-8EF9-5BC0CD843869@icann.org>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 14 Jun 2018 12:56:17 -0700
Message-ID: <CAPt1N1nsBiUM+JzT0dN-sCe+jOs+eoBBTKid6x_y8AXEbp0bTQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007cc063056e9f80fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/cfVeWb5Jmki3PEkQT08AacKl9B4>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 19:57:01 -0000

Okay, fair enough, but if that's the case, then you probably shouldn't be
advocating for a DHCP option *here.  *I see that Tom has raised the DHCP
question on that mailing list, so I'll subscribe.   FWIW, Tom and Willem
and I had a discussion about the security implications of this last week,
and while I don't know if Tom and Willem came away agreeing with me on
this, the upshot from my perspective is that this really does need to be
carefully thought through and carefully specified—it's by no means clear to
me that we "need" a DHCP option, but if we do, it has to have the right
security properties.   Thanks for the pointer.

On Thu, Jun 14, 2018 at 12:49 PM, Paul Hoffman <paul.hoffman@icann.org>;
wrote:

> On Jun 14, 2018, at 12:45 PM, Ted Lemon <mellon@fugue.com>; wrote:
> >
> > Okay.   But do you get protected DNS if you discover a DoH server using
> DHCP?
>
> Yes, for some value of protected.
>
> >   What does "protected" mean in this context?
>
> That's a topic for the DRIU mailing list and the upcoming BoF. It's not
> relevant here other than that people are asking where DoH might be used.
>
> --Paul Hoffman