Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
"John Dickinson" <jad@sinodun.com> Tue, 22 January 2019 11:59 UTC
Return-Path: <jad@sinodun.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795C4130F04 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 03:59:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUXcmdPfHtT6 for <doh@ietfa.amsl.com>; Tue, 22 Jan 2019 03:59:22 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C39581228B7 for <doh@ietf.org>; Tue, 22 Jan 2019 03:59:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=balrog-2018; h=Date:Subject:To:From; bh=M2m/Qq/Op+KAs/vYDmSO//OvMICa0amDn2itXM9sV7Y=; b=qyolkazmMpFTCVNselmRJusfG7 YMYCbag9CysquDCNM+rTivCTmoh4kFNUQQz7s3TXELOS1m04Co/CFrXQrcjBR0oQM7DO2I1AlcReo xfVLLFb7NH8uezuuMY7sp9ES33Ac44MTcKurLTiuJSXh2hHkQFhxbmuiTwoTxyRoOTb0qfPdzaPmQ 53gsbC1WhrPohMjr6L2ZP0yW8Y/1JEDpeLKqGqVJxHwi+VLliRbPS80g3k/5FFCVHnWfeVaj4ualu qgb3vncohcvufqv11IOZg2+RXo15pSZyoaJFCu8UrfGSSTdA9INXqluG/wAOX56u2lRySJ05E+q3L E9DgVpRQ==;
Received: from [2001:b98:204:102:fff1::f145] (port=61034 helo=[192.168.12.13]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <jad@sinodun.com>) id 1glui5-0003wZ-5N; Tue, 22 Jan 2019 11:59:21 +0000
From: John Dickinson <jad@sinodun.com>
To: Paul Hoffman <paul.hoffman@icann.org>, doh@ietf.org
Date: Tue, 22 Jan 2019 11:58:33 +0000
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <FDE64B61-4CD2-4076-8075-909DB6AC1B49@sinodun.com>
In-Reply-To: <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org>
References: <8999D6F3-600E-4F1A-903C-10F8CAA6E4F3@icann.org> <1547674141.291889.1636540384.54D5BB3E@webmail.messagingengine.com> <78C9AA8D-1599-46F1-91C7-356E58DD960A@icann.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_1F311ABC-4F6C-4DBD-BEF8-61AB71A0458D_="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-BlackCat-Spam-Score: -21
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/pzYi2BSBiIccrsClvOSFk3pFxKU>
Subject: Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2019 11:59:26 -0000
On 16 Jan 2019, at 22:32, Paul Hoffman wrote: > On Jan 16, 2019, at 1:29 PM, Martin Thomson <mt@lowentropy.net> wrote: >> >> On Wed, Jan 16, 2019, at 11:25, Paul Hoffman wrote: >>> People from a few browser vendors have expressed unofficial interest in >>> implementing at least parts of it if it gets standardized, so it seems >>> like a good idea to try to standardize it. There is still a reasonable >>> amount of work to be done in the document itself, and it certainly needs >>> input from both browser and DNS folks. >> >> What happened to DRIU? It seemed like there was an effort to work on the problem more generally. > > There was little interest in anything other than this part. > >> But I see the DoT comment down-thread and wonder whether this is the right place for doing this sort of work. > > DPRIVE is (sadly very slowly) working on draft-ietf-dprive-bcp-op, where DoT discovery would fit just fine. > I don’t think so. The BCP is Informational, I see server discovery (requiring extensions to the protocol) as well out of scope for the BCP. As mentioned by Ben, for opportunistic DoT port 853 can be probed, but there is still no DNS or DHCP solution for Strict DoT (i.e. securely obtaining the authentication domain name). My understanding of this draft is that it provides only an ‘opportunistic’ discovery mechanism for DoH where the resulting URI template cannot be DNSSEC validated by the system resolver or the requesting application/browser. If that is the case the resulting HTTPS connection _could_ have been re-directed and so I think that should be spelt out more clearly. For example, I think that at least the title should be something more like ‘Associating a DoH Server with a Resolver for Opportunistic DoH’. Other comments: I find this draft extremely difficult to read. For example, I am unable to easily parse Section 1, Para. 2, Sentence 1: “There is a use case for browsers and web applications to want the DNS recursive resolver(s) configured in the operating system to use DoH for DNS resolution instead of normal DNS, but to do so to at a DoH server specified by the configured resolver.” I find the rest of the Introduction just as difficult to read. Please add SUDN to the Terminology section and to the next DNS Terminology -bis draft. Section 2.1 “the zone resolver-associated-doh.arpa is not actually delegated and never will be.” So it can never be DNSSEC signed unless you use a local trust anchor. Section 2.2 “To find the DoH servers associated with a resolver, the client sends a query to https://IPADDRESSGOESHERE/.well-known/doh-servers-associated/” Need to make it clear that this is a DoH query not a regular “http query” Section 3 makes no mention of the fact that the OS stub resolver typically has more than 1 resolver configured. Section 4 “That wording might say something like "DoH server associated with my current resolver" (or "servidor DoH asociado con mi resolucion actual" or "serveur DoH associe a mon resolveur actuel”).” Is this intended to be read only configuration? It doesn’t sound like a configuration item for a User to edit. I do not think this draft should be adopted until a separate use cases document is written (I am happy to help write it). regards John John Dickinson https://sinodun.com Sinodun Internet Technologies Ltd. Magdalen Centre Oxford Science Park Robert Robinson Avenue Oxford OX4 4GA U.K.
- [Doh] Request for the DOH WG to adopt draft-hoffm… Paul Hoffman
- Re: [Doh] Request for the DOH WG to adopt draft-h… Jim Reid
- Re: [Doh] Request for the DOH WG to adopt draft-h… Ralf Weber
- Re: [Doh] Request for the DOH WG to adopt draft-h… A. Schulze
- Re: [Doh] Request for the DOH WG to adopt draft-h… Ben Schwartz
- Re: [Doh] Request for the DOH WG to adopt draft-h… Jim Reid
- Re: [Doh] Request for the DOH WG to adopt draft-h… A. Schulze
- Re: [Doh] Request for the DOH WG to adopt draft-h… Ralf Weber
- Re: [Doh] Request for the DOH WG to adopt draft-h… Martin Thomson
- Re: [Doh] [Ext] Request for the DOH WG to adopt d… Paul Hoffman
- Re: [Doh] [EXTERNAL] Re: Request for the DOH WG t… Winfield, Alister
- Re: [Doh] [EXTERNAL] Re: Request for the DOH WG t… Ben Schwartz
- Re: [Doh] [Ext] Request for the DOH WG to adopt d… John Dickinson
- Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DO… Winfield, Alister
- Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DO… Jim Reid
- Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DO… Winfield, Alister
- Re: [Doh] [Ext] Request for the DOH WG to adopt d… Paul Hoffman
- Re: [Doh] [Ext] Request for the DOH WG to adopt d… John Dickinson
- Re: [Doh] Request for the DOH WG to adopt draft-h… Daniel Stenberg
- Re: [Doh] Request for the DOH WG to adopt draft-h… Ralf Weber
- Re: [Doh] Request for the DOH WG to adopt draft-h… Tony Finch
- Re: [Doh] Request for the DOH WG to adopt draft-h… Daniel Stenberg
- Re: [Doh] Request for the DOH WG to adopt draft-h… bert hubert
- Re: [Doh] Request for the DOH WG to adopt draft-h… Vittorio Bertola
- Re: [Doh] Request for the DOH WG to adopt draft-h… Ted Lemon
- Re: [Doh] Request for the DOH WG to adopt draft-h… bert hubert
- Re: [Doh] Request for the DOH WG to adopt draft-h… Peter Saint-Andre
- Re: [Doh] Request for the DOH WG to adopt draft-h… Daniel Stenberg
- Re: [Doh] [EXTERNAL] Re: Request for the DOH WG t… Winfield, Alister
- Re: [Doh] Request for the DOH WG to adopt draft-h… Stephen Farrell
- Re: [Doh] Request for the DOH WG to adopt draft-h… John Dickinson
- Re: [Doh] Request for the DOH WG to adopt draft-h… Stephane Bortzmeyer
- Re: [Doh] Request for the DOH WG to adopt draft-h… Stephane Bortzmeyer
- Re: [Doh] [Ext] Re: Request for the DOH WG to ado… Paul Hoffman
- Re: [Doh] Request for the DOH WG to adopt draft-h… Stephane Bortzmeyer
- Re: [Doh] Request for the DOH WG to adopt draft-h… Stephane Bortzmeyer
- Re: [Doh] [Ext] Re: Request for the DOH WG to ado… Stephane Bortzmeyer
- Re: [Doh] Request for the DOH WG to adopt draft-h… Daniel Stenberg
- Re: [Doh] Request for the DOH WG to adopt draft-h… nigel.tedeschi