Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Paul Hoffman <paul.hoffman@icann.org> Wed, 24 October 2018 16:11 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8AFA130934 for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 09:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.211
X-Spam-Level:
X-Spam-Status: No, score=-2.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xf_syUVlRNQe for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 09:11:28 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF5C21286E7 for <doh@ietf.org>; Wed, 24 Oct 2018 09:11:27 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 24 Oct 2018 09:11:26 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Wed, 24 Oct 2018 09:11:26 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Eric Rescorla <ekr@rtfm.com>
CC: DoH WG <doh@ietf.org>
Thread-Topic: [Doh] [Ext] Re: Associating a DoH server with a resolver
Thread-Index: AQHUa0hXLZIOUPksW0KFptJhvlWHNqUvBzSA
Date: Wed, 24 Oct 2018 16:11:25 +0000
Message-ID: <CF80F320-1E2F-4BB6-90F2-AE8426ACDC6A@icann.org>
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com> <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com>
In-Reply-To: <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_376C0DBE-12CB-4B81-A2E6-475BE2254F70"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/lSLUG6FOYSAaeSMRpHBIkP3ykEQ>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 16:11:30 -0000

On Oct 23, 2018, at 8:18 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> Several points here:
> 
> 1. As a matter of aesthetics, I agree with Martin that domain names would be better.

If we can get non-address records back, I would prefer to go all the way to "here are the URI templates of the DoH servers". No need to cause another round-trip.

> 2. Martin sent a link to a method for resolving TXT records on Windows. MacOS has its own API: https://developer.apple.com/documentation/dnssd/1804747-dnsservicequeryrecord?language=objc [developer.apple.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.apple.com_documentation_dnssd_1804747-2Ddnsservicequeryrecord-3Flanguage-3Dobjc&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=yvHk3BrvY-tKWGRmaFbQS1aHXNfQjC40fPfI5u1VsFs&m=iJ8qV6wySJ414-hN_AOIVx2XwwybAWbVxH5x8UIf4kQ&s=5WHmwl5icl3kObdG8_5f2rpWhKXSf4wIs0YR6IefeDA&e=>.
> So, this doesn't seem prohibitive to me.

I thought this only worked for DNSSD, not DNS. Does it work for both? Or is there a similar-flavored Mac call for DNS?

> 3. It seems like in the use case for which this draft is specified, the whole thing is pretty opportunistic, so IP address certs wouldn't be required.

Agree. In the future, when an application can know that the OS's connection to the DNS resolver is authenticated, then IP address certs could be used for fully-authenticated communication. That doesn't seem likely any time soon, however, given the results of the discussions at the DRIU BoF at the last IETF meeting.

> 4. There are other uses cases for which it might be nice to have real domain names, in which case the IP address cert thing is a pain.
> 
> For these reasons, I think a domain name in TXT or the like would be better.

Do you see a use case for domain names other than "here's a way to get to a well-known URI on the resolver"? If so, we could add that as well as "here are the URI templates for the associated DoH server.

--Paul Hoffman