Re: [Doh] DNSSEC, DOH, and DNS headers
Patrick McManus <pmcmanus@mozilla.com> Tue, 20 March 2018 08:05 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E9612D869 for <doh@ietfa.amsl.com>; Tue, 20 Mar 2018 01:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2vLLVDZ9XxC for <doh@ietfa.amsl.com>; Tue, 20 Mar 2018 01:05:37 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 3F99512D82F for <doh@ietf.org>; Tue, 20 Mar 2018 01:05:37 -0700 (PDT)
Received: from mail-ot0-f175.google.com (mail-ot0-f175.google.com [74.125.82.175]) by linode64.ducksong.com (Postfix) with ESMTPSA id 9CCF93A04F for <doh@ietf.org>; Tue, 20 Mar 2018 04:05:35 -0400 (EDT)
Received: by mail-ot0-f175.google.com with SMTP id t2-v6so758887otj.4 for <doh@ietf.org>; Tue, 20 Mar 2018 01:05:35 -0700 (PDT)
X-Gm-Message-State: AElRT7GDWj+a31+DG1Lh+ZuXLd02s+COL/atu1rOdA9vZi0nuY5Qdf/s r56MGEeXSCh6UjrQxtmT5cFusVY0MoSq16hJPrM=
X-Google-Smtp-Source: AG47ELvraX/xf4Si9qLvXs0MISfWYkS4R5BdHCwBwCH1+0F+tscoCG4XeiQWvbyFuim7AQPeb4p+wVT+kXJAwpGcXM8=
X-Received: by 2002:a9d:213c:: with SMTP id i57-v6mr7983260otb.85.1521533135342; Tue, 20 Mar 2018 01:05:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.137.147 with HTTP; Tue, 20 Mar 2018 01:05:34 -0700 (PDT)
In-Reply-To: <20180319143929.tgndmrvdggewpcqv@mx4.yitter.info>
References: <20180319143929.tgndmrvdggewpcqv@mx4.yitter.info>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 20 Mar 2018 08:05:34 +0000
X-Gmail-Original-Message-ID: <CAOdDvNopr+S10rVr04faUwjJQaK1feeNecjEGSF2OOJTeUT4Nw@mail.gmail.com>
Message-ID: <CAOdDvNopr+S10rVr04faUwjJQaK1feeNecjEGSF2OOJTeUT4Nw@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000bd42c0567d38ad8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tCC06A_KjBKG5v1oS0ojxSVkIT8>
Subject: Re: [Doh] DNSSEC, DOH, and DNS headers
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 08:05:39 -0000
I appreciate this. we can make the change. On Mon, Mar 19, 2018 at 2:39 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote: > Hi, > > Section 6 of -03 says this: > > Different response media types will provide more or less information > from a DNS response. For example, one response type might include > the information from the DNS header bytes while another might omit > it. > > But section 9 says > > A DNS API client may also perform full > DNSSEC validation of answers received from a DNS API server or it may > choose to trust answers from a particular DNS API server, much as a > DNS client might choose to trust answers from its recursive DNS > resolver. > > It seems to me that these are in tension with one another, because the > AD and CD bits are in the header that the response type is permitted > to throw away. Maybe it could be resolved thus: > > NEW > > A DNS API client may also perform full > DNSSEC validation of answers received from a DNS API server or it may > choose to trust answers from a particular DNS API server, much as a > DNS client might choose to trust answers from its recursive DNS > resolver. This capability might be affected by the response media > type a DNS API server supports. > > Best regards, > > A > > -- > Andrew Sullivan > ajs@anvilwalrusden.com > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- [Doh] DNSSEC, DOH, and DNS headers Andrew Sullivan
- Re: [Doh] DNSSEC, DOH, and DNS headers manu tman
- Re: [Doh] DNSSEC, DOH, and DNS headers Patrick McManus