Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Adam Roach <adam@nostrum.com> Wed, 24 October 2018 03:40 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15486130DDA for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 20:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhUThWYThMKS for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 20:40:17 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C06130DE5 for <doh@ietf.org>; Tue, 23 Oct 2018 20:40:15 -0700 (PDT)
Received: from Svantevit.attlocal.net (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w9O3dp9n095790 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 23 Oct 2018 22:39:52 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.attlocal.net
To: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com> <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <2695a0e8-8373-8d33-7951-cfc5555ed254@nostrum.com>
Date: Tue, 23 Oct 2018 22:39:45 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/kIBqgul33eaXBP7JWDJmd0cPCAA>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 03:40:21 -0000

On 10/23/18 10:18 PM, Eric Rescorla wrote:
> Several points here:
>
> 1. As a matter of aesthetics, I agree with Martin that domain names 
> would be better.
> 2. Martin sent a link to a method for resolving TXT records on 
> Windows. MacOS has its own API: 
> https://developer.apple.com/documentation/dnssd/1804747-dnsservicequeryrecord?language=objc.
> So, this doesn't seem prohibitive to me.
> 3. It seems like in the use case for which this draft is specified, 
> the whole thing is pretty opportunistic, so IP address certs wouldn't 
> be required.
> 4. There are other uses cases for which it might be nice to have real 
> domain names, in which case the IP address cert thing is a pain.
>
> For these reasons, I think a domain name in TXT or the like would be 
> better.


If we are going for non-A/AAAA record types, then I would suggest that 
we use the record to directly indicate the URI instead of having to 
synthesize one using a .well-known path. I would also point out that we 
already have a resource record type for converting desired services into 
URIs (RFC 7553).

So, e.g., interested clients would query for a URI record of type 
_doh._tcp.resolvers.arpa, and get back a full HTTPS URL as a response.

/a