Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

"John Dickinson" <jad@sinodun.com> Tue, 22 January 2019 11:59 UTC

Return-Path: <jad@sinodun.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795C4130F04 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 03:59:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUXcmdPfHtT6 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 03:59:22 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C39581228B7 for <doh@ietf.org>; Tue, 22 Jan 2019 03:59:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=balrog-2018; h=Date:Subject:To:From; bh=M2m/Qq/Op+KAs/vYDmSO//OvMICa0amDn2itXM9sV7Y=; b=qyolkazmMpFTCVNselmRJusfG7 YMYCbag9CysquDCNM+rTivCTmoh4kFNUQQz7s3TXELOS1m04Co/CFrXQrcjBR0oQM7DO2I1AlcReo xfVLLFb7NH8uezuuMY7sp9ES33Ac44MTcKurLTiuJSXh2hHkQFhxbmuiTwoTxyRoOTb0qfPdzaPmQ 53gsbC1WhrPohMjr6L2ZP0yW8Y/1JEDpeLKqGqVJxHwi+VLliRbPS80g3k/5FFCVHnWfeVaj4ualu qgb3vncohcvufqv11IOZg2+RXo15pSZyoaJFCu8UrfGSSTdA9INXqluG/wAOX56u2lRySJ05E+q3L E9DgVpRQ==;
Received: from [2001:b98:204:102:fff1::f145] (port=61034 helo=[192.168.12.13]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <jad@sinodun.com>) id 1glui5-0003wZ-5N; Tue, 22 Jan 2019 11:59:21 +0000
From: "John Dickinson" <jad@sinodun.com>
To: "Paul Hoffman" <paul.hoffman@icann.org>, doh@ietf.org
Date: Tue, 22 Jan 2019 11:58:33 +0000
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <FDE64B61-4CD2-4076-8075-909DB6AC1B49@sinodun.com>
In-Reply-To: <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org>
References: <8999D6F3-600E-4F1A-903C-10F8CAA6E4F3@icann.org> <1547674141.291889.1636540384.54D5BB3E@webmail.messagingengine.com> <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_1F311ABC-4F6C-4DBD-BEF8-61AB71A0458D_="; micalg=pgp-sha512; protocol="application/pgp-signature"
X-BlackCat-Spam-Score: -21
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/pzYi2BSBiIccrsClvOSFk3pFxKU>
Subject: Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2019 11:59:26 -0000

On 16 Jan 2019, at 22:32, Paul Hoffman wrote:

> On Jan 16, 2019, at 1:29 PM, Martin Thomson <mt@lowentropy.net> wrote:
>>
>> On Wed, Jan 16, 2019, at 11:25, Paul Hoffman wrote:
>>> People from a few browser vendors have expressed unofficial interest in
>>> implementing at least parts of it if it gets standardized, so it seems
>>> like a good idea to try to standardize it. There is still a reasonable
>>> amount of work to be done in the document itself, and it certainly needs
>>> input from both browser and DNS folks.
>>
>> What happened to DRIU?  It seemed like there was an effort to work on the problem more generally.
>
> There was little interest in anything other than this part.
>
>> But I see the DoT comment down-thread and wonder whether this is the right place for doing this sort of work.
>
> DPRIVE is (sadly very slowly) working on draft-ietf-dprive-bcp-op, where DoT discovery would fit just fine.
>

I don’t think so. The BCP is Informational, I see server discovery (requiring extensions to the protocol) as well out of scope for the BCP.

As mentioned by Ben, for opportunistic DoT port 853 can be probed, but there is still no DNS or DHCP solution for Strict DoT (i.e. securely obtaining the authentication domain name).

My understanding of this draft is that it provides only an ‘opportunistic’ discovery mechanism for DoH where the resulting URI template cannot be DNSSEC validated by the system resolver or the requesting application/browser. If that is the case the resulting HTTPS connection _could_ have been re-directed and so I think that should be spelt out more clearly. For example, I think that at least the title should be something more like ‘Associating a DoH Server with a Resolver for Opportunistic DoH’.

Other comments:

I find this draft extremely difficult to read. For example, I am unable to easily parse Section 1, Para. 2, Sentence 1:
   “There is a use case for browsers and web applications to want the DNS
   recursive resolver(s) configured in the operating system to use DoH
   for DNS resolution instead of normal DNS, but to do so to at a DoH
   server specified by the configured resolver.”

I find the rest of the Introduction just as difficult to read.

Please add SUDN to the Terminology section and to the next DNS Terminology -bis draft.

Section 2.1
   “the zone resolver-associated-doh.arpa is
   not actually delegated and never will be.”

   So it can never be DNSSEC signed unless you use a local trust anchor.

Section 2.2
   “To find the DoH servers associated with a resolver, the client sends
   a query to

   https://IPADDRESSGOESHERE/.well-known/doh-servers-associated/”

   Need to make it clear that this is a DoH query not a regular “http query”

Section 3 makes no mention of the fact that the OS stub resolver typically has more than 1 resolver configured.

Section 4
   “That wording might say
   something like "DoH server associated with my current resolver" (or
   "servidor DoH asociado con mi resolucion actual" or "serveur DoH
   associe a mon resolveur actuel”).”

   Is this intended to be read only configuration? It doesn’t sound like a configuration item for a User to edit.

I do not think this draft should be adopted until a separate use cases document is written (I am happy to help write it).

regards
John


John Dickinson

https://sinodun.com

Sinodun Internet Technologies Ltd.
Magdalen Centre
Oxford Science Park
Robert Robinson Avenue
Oxford OX4 4GA
U.K.