[Doh] representation of DNS transport in use?
Erik Kline <ek@google.com> Sat, 10 March 2018 11:20 UTC
Return-Path: <ek@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7F49124217 for <doh@ietfa.amsl.com>; Sat, 10 Mar 2018 03:20:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JG8kq9wzd0rK for <doh@ietfa.amsl.com>; Sat, 10 Mar 2018 03:20:49 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770511271FD for <doh@ietf.org>; Sat, 10 Mar 2018 03:20:49 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id e2so578972ywh.9 for <doh@ietf.org>; Sat, 10 Mar 2018 03:20:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=Z7fIcoaKW3uV6jaMwcKOD9Ei8e+uyTHrA3J3cDXZTSA=; b=IxCOA4W+qbMa17GSfWrb4N3Xxo8DzcmYppl8NwNuKUO5wQyHo794lhZ8yUdkbUUe66 bGgs+/tcHqasVRSyMeYrthCZ+JMfkQc0WzE/4BsembkJyH6LYwaZsaJUCdOAKk5UlXtm QzDIdF1CgcT7u84VM9eVqucKajwYtM+cyzsjBNazXcw6tqTd04cANB5r1RIspk8iMLQf q1ofXImgj3mYHAnl4U57/J8tU8hZNuYCva8tBvV749nDYLsdjARFHXObITu0RPyzVeEh fULlwWubaTZl3KcIKfpLrnnI7ZjpcE/MQaLdFkaUHVrlK3Rs2pbunn/dughjp+h0vmgZ 2WkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=Z7fIcoaKW3uV6jaMwcKOD9Ei8e+uyTHrA3J3cDXZTSA=; b=WAylbTfuvAxEB3OiXPqjuSrT95gjf5/6RtCA744OBscn+mmduSB3X8qyf5+dI/4H7F REi+iIHkkVxPX9ER5hMVrlBk9DFBFSjPkgYkbp/DuBB6pRP0D+4pq6D77vKKHN/9PQgo vDvDDWMsRpCGW7Y+Xdv+A+rvquVqg19mMY0EckyDAKPXfxsznUN8t2bhoc/eYSyYobUZ vYCoEctgOeXyiy3tpooyvtJ/u//IW2iopfgf2MMjVcbHQK/jknqcYcVGJFdVC32HxHp8 VDt91sF4rh2hlrpHmGnPkNa3GUTGt81sYwlYoIBOP1TRD0afHMwkaBpMsz+vasLaZIix yw1Q==
X-Gm-Message-State: AElRT7H4GHqWm/L7+PmL1XVeFUTEKXDikw0/gZUNHylSFhy4sbg74aoe 3w6Pj3FkOEkaTmEdKOqS8cdd3yg1G+npg0sx9myJeezZ//c=
X-Google-Smtp-Source: AG47ELs/H7FUfhCmZezwcqp+lY6CqsHfuKJdfRTmQha8duVadw/Cyvy/YT6l4BuhYWybxp/MOHL3TBAV//osglIwm6g=
X-Received: by 10.129.42.193 with SMTP id q184mr829400ywq.266.1520680848180; Sat, 10 Mar 2018 03:20:48 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a25:ab51:0:0:0:0:0 with HTTP; Sat, 10 Mar 2018 03:20:27 -0800 (PST)
From: Erik Kline <ek@google.com>
Date: Sat, 10 Mar 2018 20:20:27 +0900
Message-ID: <CAAedzxq7QGB4YduDd-Kkjfyf1okR8f=EjBw7VOPBszwj2YRkgQ@mail.gmail.com>
To: doh@ietf.org, dns-privacy@ietf.org
Cc: Lorenzo Colitti <lorenzo@google.com>, Warren Kumari <wkumari@google.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a11429238cede5205670d190f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/vNNmJVBjTZKzz4y0RPo7uSQydWk>
Subject: [Doh] representation of DNS transport in use?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2018 11:20:52 -0000
I'm expecting to die a thousand deaths for this question, but... TL;DR: Should we have some kind of URI schemes for encrypted DNS protocols (i.e. identifying the transport)? -- The motivation for this comes from working on adding DNS-over-TLS support into Android. Background: an app can always do its own DNS resolution regardless of what the system would do on its behalf were it asked. An app can send to some random server at port 53 without going through the system resolver, or it can wrap DNS queries in a Carrier Pigeon VPN. We have an API to communicate to apps whenever an encrypted DNS protocol is in use by the system: in order to express the intent of the user and indicate when at least one nameserver was successfully found in opportunistic mode (the system is consequently sending all queries to that/those server(s) inside TLS, and apps should therefore do likewise). When thinking about what information might be expressed by this API, rather than defining something bespoke I figured I'd ask about whether a standard identification scheme for transports is worth having. Currently we only support DNS-over-TLS. If we someday gained dns-over-https capability we might try to auto-detect the servers' capabilities and could conceivably convey that status to apps. RFC 4501 is obviously a thing, but seems to me to be more aimed at identifying resource records than server access methodology. To wit, from section 3: Intended usage: Whenever it is useful for DNS resources to be referenced by *protocol-independent* identifiers. Often, this occurs when the data is more important than the *access method*. Since software in general has coped without this so far, ... (emphasis mine) Add to this discussion the observation that some DNS-over-TLS servers are also reachable on 443, I think just representing the protocol in use might not be sufficient. RFC 7858 didn't seem to request any URI registration. For a server reachable via dns-over-https, the -03 doc would seem indicate we could just use https://thing:port. So maybe this is a matter only for DNS-over-TLS (dns-tls://thing:port?). End of rambling. -ek
- [Doh] representation of DNS transport in use? Erik Kline
- Re: [Doh] [dns-privacy] representation of DNS tra… Stephane Bortzmeyer