Re: [Doh] operational considerations

Jim Reid <jim@rfc1035.com> Sun, 19 November 2017 12:49 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13843127B5A for <doh@ietfa.amsl.com>; Sun, 19 Nov 2017 04:49:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Jd2D2cIkXkf for <doh@ietfa.amsl.com>; Sun, 19 Nov 2017 04:49:40 -0800 (PST)
Received: from shaun.rfc1035.com (shaun.rfc1035.com [93.186.33.42]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28745127077 for <doh@ietf.org>; Sun, 19 Nov 2017 04:49:39 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 2028E2420D43; Sun, 19 Nov 2017 12:49:37 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <CAOdDvNpuNhZF+966qUY8Sq4cfdrC-j_vFYoE9LT_jMRnWozgaQ@mail.gmail.com>
Date: Sun, 19 Nov 2017 12:49:36 +0000
Cc: Eliot Lear <lear@cisco.com>, DOH Working Group <doh@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <80FD186F-DB77-4590-BD7D-293E7AC7CA4A@rfc1035.com>
References: <60b879b8-d107-ec79-b2f1-357e354702e4@cisco.com> <CAOdDvNpuNhZF+966qUY8Sq4cfdrC-j_vFYoE9LT_jMRnWozgaQ@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tFEZL5CDbECg_LG5EXB1Ts41_qM>
Subject: Re: [Doh] operational considerations
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 12:49:42 -0000

> On 19 Nov 2017, at 01:48, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> Different DNS servers may provide different results to the same query. It logically follows that which server is consulted influences the end result. Split-horizon DNS [RFC6950] is a specific example of this approach where the answers are derived from the (potentially natted) source of the query. A client that chooses to query a non-default resolver for a name that is using this style of algorithm may not obtain correct results.

I think the last sentence could be improved by deleting the reference to "non-default" and "correct results”. First, it’s not clear what a default resolver is. Or what that means. Second, the result that one of these non-default resolvers may well be correct since the correct DNS response depends on the context: ie someone on the internal net gets back the correct internal web site (or whatever) instead of the incorrect public-facing one. We could probably lose “(potentially natted)” too since that doesn’t seem to add anything useful IMO.

How about the following instead?

Different DNS servers may provide different results to the same query. It logically follows that which server is consulted influences the end result. Split-horizon DNS [RFC6950] is a specific example of this approach where the answers are derived from the source of the query. A client that chooses to query a resolver which uses these sorts of policy-based approaches can expect to sometimes be returned different answers from the responses given by resolvers which do not use them.