Re: [Doh] WGLC on draft-ietf-doh-dns-over-https
Mateusz Jończyk <mat.jonczyk@o2.pl> Sat, 05 May 2018 16:17 UTC
Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B6212E8CB for <doh@ietfa.amsl.com>; Sat, 5 May 2018 09:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeeBP_NL6Ovy for <doh@ietfa.amsl.com>; Sat, 5 May 2018 09:17:37 -0700 (PDT)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCADA126CBF for <doh@ietf.org>; Sat, 5 May 2018 09:17:35 -0700 (PDT)
Received: (wp-smtpd smtp.tlen.pl 15289 invoked from network); 5 May 2018 18:17:31 +0200
Received: from acld108.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.10.105.108]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <sara@sinodun.com>; 5 May 2018 18:17:31 +0200
To: DoH WG <doh@ietf.org>
Cc: sara@sinodun.com
From: Mateusz Jończyk <mat.jonczyk@o2.pl>
Openpgp: preference=signencrypt
Message-ID: <56fb94bd-ec0f-81c8-16c8-8391ef1a5f46@o2.pl>
Date: Sat, 05 May 2018 18:17:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="Ht3w9qWgRnQLPS7qwXl40HldEUqamBZGJ"
X-WP-MailID: 714d67049daa133fe35d6324db250d11
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 0000000 [gSMU]
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/d6mWKBhfvRFqcFB4OCe1dr1kFdE>
Subject: Re: [Doh] WGLC on draft-ietf-doh-dns-over-https
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2018 16:17:39 -0000
Sara Dickinson on Fri, 04 May 2018 17:03 UTC wrote: > The text in the latest GitHub version of the draft now uses phrases like "a > client MUST specifically authorize DNS API servers”. > > I’m not clear if there is any difference between ‘authorizing’ a server and > just using a server? If there is some subtlety here then I’d like to > understand if but if not I created > https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/174 to simplify > the text and also put the discussion of selection of server in its own > section. This text is unclear also to me. I cannot really understand what is meant by the following sentence: For HTTP requests initiated by the DNS API client this authorization is implicit in the selection of URI. Should I read it so: "by selecting a DNS API server URI the client is implicitly authorizing the server", whatever this means in practice? On the other hand, the wording proposed by Sara Dickinson looks too verbose to me and is unclear also. In the following sentence: Before using a DNS API server for DNS resolution, the client MUST establish that the HTTP request URI is a trusted service for the DOH query, [...] what should the phrase "is a trusted service for the DOH query" mean? Is it possible that for some DOH queries the request URI is trusted and for some others isn't? I would propose simply the following text for the "# Security" section: When DNSSEC is not used, a DNS API server can give the client invalid data as a response to a DNS query. Therefore, a DNS API client SHOULD carefully determine which DNS API server(s) it trusts. For example, a DNS API client can have trusted DNS API server(s) preconfigured. I suppose that most computer users won't know what a DNS is and won't configure a DNS API server themselves. Therefore "explicit configuration" in practice means "preconfigured DNS API server(s)". Greetings, Mateusz Jończyk
- [Doh] WGLC on draft-ietf-doh-dns-over-https Ben Schwartz
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Martin Thomson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Martin Thomson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark Nottingham
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Patrick McManus
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark Nottingham
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark O
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Martin Thomson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Sara Dickinson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Alexander Mayrhofer
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mateusz Jończyk
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mateusz Jończyk
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Patrick McManus
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson