Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Paul Hoffman <paul.hoffman@icann.org> Wed, 24 October 2018 18:25 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53D6130F0F for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 11:25:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.089
X-Spam-Level:
X-Spam-Status: No, score=0.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysqXRo47Fcpt for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 11:25:05 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97059130EBC for <doh@ietf.org>; Wed, 24 Oct 2018 11:25:05 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 24 Oct 2018 11:25:03 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Wed, 24 Oct 2018 11:25:02 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Eric Rescorla <ekr@rtfm.com>
CC: DoH WG <doh@ietf.org>
Thread-Topic: [Doh] [Ext] Re: Associating a DoH server with a resolver
Thread-Index: AQHUa0hXLZIOUPksW0KFptJhvlWHNqUvBzSAgAAi5oCAAAJugA==
Date: Wed, 24 Oct 2018 18:25:02 +0000
Message-ID: <7D43ECB0-BFDF-43B8-972C-41FF6CD07837@icann.org>
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com> <CABcZeBNObxKQWkhD=jz8Z7CL7iVnEE-O_QF5DkADu=s1=ux_rQ@mail.gmail.com> <CF80F320-1E2F-4BB6-90F2-AE8426ACDC6A@icann.org> <CABcZeBMX9z27a3_zZ7PqkAZK6f=n6vx8XWQGmJ4nAdR5f+tQjA@mail.gmail.com>
In-Reply-To: <CABcZeBMX9z27a3_zZ7PqkAZK6f=n6vx8XWQGmJ4nAdR5f+tQjA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_A2D2A4CB-3622-43E6-AEB3-1C497AA61407"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/u1KaubS0QrGZakXi5acTPOfrddM>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 18:25:15 -0000

On Oct 24, 2018, at 11:16 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> On Wed, Oct 24, 2018 at 9:11 AM Paul Hoffman <paul.hoffman@icann.org <mailto:paul.hoffman@icann.org>> wrote:
> On Oct 23, 2018, at 8:18 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> Several points here:
>> 
>> 1. As a matter of aesthetics, I agree with Martin that domain names would be better.
> 
> If we can get non-address records back, I would prefer to go all the way to "here are the URI templates of the DoH servers". No need to cause another round-trip.
> 
>> 2. Martin sent a link to a method for resolving TXT records on Windows. MacOS has its own API: https://developer.apple.com/documentation/dnssd/1804747-dnsservicequeryrecord?language=objc [developer.apple.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.apple.com_documentation_dnssd_1804747-2Ddnsservicequeryrecord-3Flanguage-3Dobjc&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=yvHk3BrvY-tKWGRmaFbQS1aHXNfQjC40fPfI5u1VsFs&m=iJ8qV6wySJ414-hN_AOIVx2XwwybAWbVxH5x8UIf4kQ&s=5WHmwl5icl3kObdG8_5f2rpWhKXSf4wIs0YR6IefeDA&e=>.
>> So, this doesn't seem prohibitive to me.
> 
> I thought this only worked for DNSSD, not DNS. Does it work for both? Or is there a similar-flavored Mac call for DNS?
> 
> I am reliably informed it works for ordinary DNS.

Yay!

>> 4. There are other uses cases for which it might be nice to have real domain names, in which case the IP address cert thing is a pain.
>> 
>> For these reasons, I think a domain name in TXT or the like would be better.
> 
> Do you see a use case for domain names other than "here's a way to get to a well-known URI on the resolver"? If so, we could add that as well as "here are the URI templates for the associated DoH server.
> 
> I think templates would be fine.

Sounds good. In the next draft I'll add back in the way of getting the templates directly in one DNS call for browsers that can do that, and will say that it SHOULD be used first.

I'll let the various ADs decide where this document should end up, if anywhere.

--Paul Hoffman