Re: [Doh] Associating a DoH server with a resolver

"Hewitt, Rory" <rhewitt@akamai.com> Tue, 23 October 2018 20:28 UTC

Return-Path: <rhewitt@akamai.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D039C130DBE for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 13:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.171
X-Spam-Level:
X-Spam-Status: No, score=-1.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdJf6HfXCiDI for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 13:28:07 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8161294D7 for <doh@ietf.org>; Tue, 23 Oct 2018 13:28:07 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.23/8.16.0.23) with SMTP id w9NKRi6J029739; Tue, 23 Oct 2018 21:27:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=55n09dScs5mmXMpucUHOTRKdNeWGq+QHedDpUyECbz8=; b=IHEhtYtq+J2w5WIShnk8m4JO7DrpR9y1J0dZdU6HHXrZ78d61rcDWcYmIuagrOr+1o10 3rG/PN7mklYxG++l2RsZUKhD+9j37G6YeePo9hUFpWVEVDByo3MpCqP0PjW9GPOpEtrr 6+gfFqN4yaSCcB1BFSZ4ke0t/rY/pnuY8SHlBO5Pvi7gK15yDDdw2EXHgpQr6CFehduu V9XBLQd60Z4n60LfewdocdDyJmdh4rBXVOgsNar6YfYQCHuMLs2+4KMY5PXZ1q5M+zxb 811ymvjtBPHChTgxD4ETRuYqgqxivpjiXCLdaoyDxXx177kuAWqYjtlw72v1l05XFxyD BQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0a-00190b01.pphosted.com with ESMTP id 2n9xnaaqg4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Oct 2018 21:27:46 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w9NKKTtk027442; Tue, 23 Oct 2018 16:27:42 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint2.akamai.com with ESMTP id 2n7ypv5ux0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Oct 2018 16:27:42 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 23 Oct 2018 16:27:44 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1365.000; Tue, 23 Oct 2018 16:27:44 -0400
From: "Hewitt, Rory" <rhewitt@akamai.com>
To: Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
Thread-Topic: Associating a DoH server with a resolver
Thread-Index: AQHUaw0qmaDMo9mkR0G5BSKkl0jQpaUtRl6g
Date: Tue, 23 Oct 2018 20:27:43 +0000
Message-ID: <93a83d3ab32e4954bf6a21b92ac2ba16@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org>
In-Reply-To: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.118.119]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_00CB_01D46AD4.2D2A60B0"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-23_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810230166
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-23_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810230167
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/x62j0I9_XuHiBYzf_jido4l6VN0>
Subject: Re: [Doh] Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 20:28:09 -0000

Very nice - this was indeed the topic of MUCH discussion!

I'm inclined to think that it might be better to be DNS-variant-agnostic -
rather than this:

	/.well-known/doh-servers-associated/

use this:

	/.well-known/dns-servers-associated/

or even just

	/.well-known/dns-servers/

where the URI Template response would indicate the type of DNS server (DoH,
DoT, Do53 etc.). It also allows for expansion if/when further DNS servers
are defined...

 
Rory

-----Original Message-----
From: Paul Hoffman <paul.hoffman@icann.org> 
Sent: Tuesday, October 23, 2018 1:16 PM
To: DoH WG <doh@ietf.org>
Subject: [Doh] Associating a DoH server with a resolver

Post-RFC-publication greetings. One of the topics that has been active in
the DNS community since the standardization of DoH is how a browser or web
application could use the resolver that the operating system on which it is
running as a DoH server, or at least to use a DoH server associated with
that resolver. I have taken a few stabs at designing a protocol to make it
possible to fulfill that need; the result is the draft below.

The draft is still in a very early stage. In fact, I've changed the
underlying mechanism three times already because I forgot what browsers and
operating systems could not do. I *think* the current draft is possible, but
would not be surprised if someone pointed out that even this attempt is
wrong. Regardless, the desire for such functionality seems strong.

Also note the Security Considerations section of the draft. In short: all
this gives you is opportunistic encryption because (I believe) we can't get
any better now. I would be happy to be wrong about that, of course.

Thoughts?

--Paul Hoffman

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


        Title           : Associating a DoH Server with a Resolver
        Author          : Paul Hoffman
	Filename        : draft-hoffman-resolver-associated-doh-04.txt
	Pages           : 8
	Date            : 2018-10-23

Abstract:
   Browsers and web applications may want to know if there are one or
   more DoH servers associated with the DNS recursive resolver that the
   operating system is already using.  This would allow them to get DNS
   responses from a resolver that the user (or, more likely, the user's
   network administrator) has already chosen.  This document describes a
   protocol for a resolver to tell a client what its associated DoH
   servers are.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-hoffman-resolver-associated-doh/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-hoffman-resolver-associated-doh-04
https://datatracker.ietf.org/doc/html/draft-hoffman-resolver-associated-doh-
04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-hoffman-resolver-associated-doh-04