Re: [Doh] [Ext] Re: Use cases and URLs

Paul Hoffman <paul.hoffman@icann.org> Wed, 07 March 2018 21:49 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177C412D952 for <doh@ietfa.amsl.com>; Wed, 7 Mar 2018 13:49:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RNVN1OT4Rn0 for <doh@ietfa.amsl.com>; Wed, 7 Mar 2018 13:49:35 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C14721205D3 for <doh@ietf.org>; Wed, 7 Mar 2018 13:49:35 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 7 Mar 2018 13:49:33 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Wed, 7 Mar 2018 13:49:33 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Patrick McManus <pmcmanus@mozilla.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] [Ext] Re: Use cases and URLs
Thread-Index: AQHTtljUtP64RWPRoUee2jEgNitI3KPF1cQA
Date: Wed, 7 Mar 2018 21:49:33 +0000
Message-ID: <53FF5085-D22D-4EEB-83DA-F5DB2CB2347C@icann.org>
References: <24DEFAAB-D2A3-45E5-8CEE-E2E4EA23B9C2@icann.org> <5bca3f4f-e40a-4afc-c71a-25ede395a065@nostrum.com> <497ECCA2-5453-40CC-8385-7FEBE1A3FB0D@icann.org> <CAOdDvNr-uDrQjpmB9RVfqqNtj+65QJoM+-bqQLbgYvfGKG4EQQ@mail.gmail.com>
In-Reply-To: <CAOdDvNr-uDrQjpmB9RVfqqNtj+65QJoM+-bqQLbgYvfGKG4EQQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D2F766796AF82F459FB3C1ACFD0698AB@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/mlHepbecJdZJF4YD_fC071Gp0Ko>
Subject: Re: [Doh] [Ext] Re: Use cases and URLs
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 21:49:37 -0000

On Mar 7, 2018, at 5:11 PM, Patrick McManus <pmcmanus@mozilla.com>; wrote:
>> Yes, exactly. If someone tells you that your bank runs this secure DNS server, that’s verbal, not copy and paste.
> 
> I don't agree with this.
> 
> Its logically an argument for not even using hostnames.

That is an absurd reach. If I already interact with my bank through my browser, I know its hostname. I call my bank "Bank of America", not "bofa.com", but I know the latter is its hostname.

> The minimal information in your example is your bank - so just assume www.BANK.com.

See above. In the edge case that I hear that my bank runs this secure DNS server but I don't know my bank's hostname, I am out of luck with DOH. That's fine.

> But even if you argue hostname is the goldilocks of granularity, the DNS resolver market has already shown that its not rich enough. note that quad-9 offers both 9.9.9.9 and 9.9.9.10 and that 10 is not simply a secondary for .9 but its a different service with different policies and different results.. but because the configuration scheme of traditional DNS is so coarse they needed to burn IPv4 addresses just to convey configuration information.

OS configuration for DNS service has always been based on IP addresses because using a domain name to identify a server causes a pretty obvious chicken-and-egg problem. How is that relevant for DOH, which is based on URLs that already have a hostname in them?

> Your suggestion uplevels that from 1 address to 1 hostname but the fundamental problem remains.

Which fundamental problem? My proposal allows for differentiated service in the JSON response.

> Lastly, we want this work to be consistent with the BCP56bis work which explicitly talks about Initial URLs in 4.4.1. It says arbitrary URLs should be used unless they are not practical.

And this proposal fully supports that notion. No one has to go through discovery to use the DNS API server.

> I would say if there were no configuration at all we could talk about whether or not they were impractical, but in the cases that are in scope we're definitely talking about configuration.

Correct. This proposal is to make configuration easier. Are you objecting to making configuration easier, or to the notion that the DNS API server URL should be discoverable, or ...?

--Paul Hoffman