Re: [Doh] Seeking input on draft-03

Justin Henck <henck@google.com> Fri, 09 February 2018 15:04 UTC

Return-Path: <henck@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351CA129C5D for <doh@ietfa.amsl.com>; Fri, 9 Feb 2018 07:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRDYaTgzBKso for <doh@ietfa.amsl.com>; Fri, 9 Feb 2018 07:04:27 -0800 (PST)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D28A124205 for <doh@ietf.org>; Fri, 9 Feb 2018 07:04:27 -0800 (PST)
Received: by mail-it0-x22a.google.com with SMTP id 196so10971610iti.5 for <doh@ietf.org>; Fri, 09 Feb 2018 07:04:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=spL7C07Y+asFgrYB4zvzRunrZMk1mmZ9zF/aSx2i2NM=; b=u2sTTj5H73jii+ZIH12wKrjwbsdH+Bt/m307+kqFNQjjXi02MHgL0O4FVjDrIvq7a+ QIPL3jl1ggcIo6cU3dStIT4Glu+OxEX5VvtEYUI8j9D+yxYVfOiNTfr6GySKVbeCsLPT YPmZtAD+kpAP23gMVyhGCk8aHurOKuPvetlQDrY8YzcwvBTl9FNdcJ608sMNYQrBmxHB rjUomlKCecjDSVWoGDw8AV4RRASTJN1a+8PvJOZbz1Q2vICGMYopOV8dV/mUu9lf0Sgq hVq8X4VndaOma2PVIsSXra3d0dJkSvYX49RyvI0ZnPYD0BDGYbTbwNKzGgK/ylf270VI sjcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=spL7C07Y+asFgrYB4zvzRunrZMk1mmZ9zF/aSx2i2NM=; b=GxceU1+NG3xT08ZBQIyrsfCC0PjoZcOkIwdzRng1ndaevgog9xZPxRf/D02HT7tTej UM3VB4zXdXmaWPdD2DBSCoexV1mUHCzC6sBpMNS6XA8SMbPfS/zZ2DRKbCgwTnwj6gRa UocYgK9TuxbdtajPVucjZH2rAa6ZlynR4prwN4jboAF4ZC4HPE9Tz/AcEhi4mbOYDpqP n+5oyFjj/AFUWiY72WpEz7wQWvtMBv694NQLNlBmu/ypDJSwfn+/IANWaOaehRK2EP1D hr+SmkZ2Xc5IyrLEUAqjzrPURPRck4RD1b6gy0DgsWoJk4MGpPtSiBUOEMOsVP5CZrbp Qf9Q==
X-Gm-Message-State: APf1xPC990wM4w8KC6+k42RoXo/vTjfaK9BfAOsZCVKH316W/ehhmXta x2L6bdUAXdNjOKc80tW/nAgWZMuldBIorcWxV+GAGQ==
X-Google-Smtp-Source: AH8x227uvB4JNbpfGPjMXp744HdN29pHzyzEJeIccSRTGlQzKN9YTxrpyXgs4sIqi2/cw8BAAXAVSQMWE02MCvCeKfs=
X-Received: by 10.36.221.18 with SMTP id t18mr3947923itf.106.1518188666158; Fri, 09 Feb 2018 07:04:26 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsDwWvtcZy8fpg9gs3o+gc_umi9okJW6rvv+s4T7K9-sVQ@mail.gmail.com> <5855fc09-0518-7fb0-56b6-07a8667cbf31@cs.tcd.ie> <CAOdDvNqS=cQe2a4bkKO2eGK9wih6gcwmQEhU8XHQcs+yk-W7ug@mail.gmail.com> <7f5075cc-60c3-adb1-54b1-dccb8ba13240@cs.tcd.ie>
In-Reply-To: <7f5075cc-60c3-adb1-54b1-dccb8ba13240@cs.tcd.ie>
From: Justin Henck <henck@google.com>
Date: Fri, 09 Feb 2018 15:04:14 +0000
Message-ID: <CAN-AkJuJKB9pFCwk-J08Rm-5j5K+nmC1=ZLmLpa1zwvGCu+RHw@mail.gmail.com>
To: stephen.farrell@cs.tcd.ie
Cc: pmcmanus@mozilla.com, Ben Schwartz <bemasc@google.com>, doh@ietf.org
Content-Type: multipart/alternative; boundary="001a1144e30a26a0100564c8d845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/zHvyq1294XKEthwhCLQgabNvblE>
Subject: Re: [Doh] Seeking input on draft-03
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 15:04:30 -0000

I can still see a lot of use cases for allowing discovery with just the
origin, and think it's an important feature to allow both performance
enhancements and drive user adoption:

   - Without the need for additional standards, a client on an HTTP/2
   connection could discover a DNS resolver on that origin and use it for all
   queries related to content on that origin
   - If the certificate frame is adopted, a client could make DNS queries
   to all open connections, to see if they host an origin (preventing
   round-robin DNS from messing up multiplexing)
   - People can configure a bootstrapping-free DNS server with fewer
   variables (IP + origin)
   - People can survey DNS servers, even if the dns endpoint itself is
   access-restricted. This would allow us to track adoption, and though it
   could be used to block servers it could also be used to find ones returning
   non-canonical results.

It may be that .well-known/dns metadata would solve many of these purposes
by being optional, or by only being required to point to at least one
instance; that would account for the desire to host multiple resolvers.

On Fri, Feb 9, 2018 at 4:24 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

>
> Thanks Patrick,
>
> On 08/02/18 20:24, Patrick McManus wrote:
> > WRT the removal of .wk:
> >
> > * its previous presence had never been meant as a discovery mechanism of
> > the form "I know a hostname, therefore I know the URL". origin is a
> > security primitive for http, but its not an addressing primitive for http
> > services such as a DoH endpoint.. indeed the DoH server might sensibly
> wish
> > to offer multiple URIs on the same host (in the same way some free dns
>
> Fair point.
>
> > providers make a variety of resolution policies available with different
> IP
> > addresses).  The configuration primitive for a DoH server is the URI -
> not
> > origin.
> >
> > * I had originally included .wk as a bit of future proofing for a use
> case
> > not part of the DoH charter (not to enable it, but being sure not to
> > preclude it at a later time). I have been convinced that .wk is not
> > necessary for that - and so it was removed from the draft. I regret that
> > these two things were confused by readers of <= -02 due to my own
> > composition skills (or lack thereof).
> >
> > As to Stephen's query - this was both discussed f2f in singapore and
> > https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/24 . Of
>
> I read that and it's overall convincing enough for me.
>
> I do also wonder about the point raised there about doing surveys of
> doh deployments - as one poster (willscott) said though, I'm not sure
> if I think enabling that is a good thing or not. (The downside being
> that censors discover deployments too.) I'd not argue that's reason
> enough to retain well-known in the draft.
>
> Cheers,
> S.
>
> > course there hasn't been consensus declared on the issue - the editors
> are
> > just trying to make the newer drafts as closely aligned with the group's
> > discussion as we can manage as part of the proces> -P
> >
> >
> > On Thu, Feb 8, 2018 at 2:56 PM, Stephen Farrell <
> stephen.farrell@cs.tcd.ie>;
> > wrote:
> >
> >>
> >>
> >> On 08/02/18 18:05, Ben Schwartz wrote:
> >>>
> >>> One important difference is that draft-03 no longer proposes a
> >>> ".well-known" entry.  In draft-02 and prior, clients could check for
> the
> >>> presence of a DOH service at the default path, given only the domain
> name
> >>> of a server.  In draft-03, there is no default path, so clients must be
> >>> configured with the full URL of the DOH endpoint.
> >>
> >> Apologies if I'm forgetting a thread where this was discussed,
> >> but what's the reason for dropping .well-known? (If there is a
> >> thread, a pointer to that is a sufficient answer.)
> >>
> >> Thanks,
> >> S.
> >>
> >> --
> >> PGP key change time for me.
> >> New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
> >> NewWithOld sigs in keyservers.
> >> Sorry if that mucks something up;-)
> >>
> >> _______________________________________________
> >> Doh mailing list
> >> Doh@ietf.org
> >> https://www.ietf.org/mailman/listinfo/doh
> >>
> >>
> >
>
> --
> PGP key change time for me.
> New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
> NewWithOld sigs in keyservers.
> Sorry if that mucks something up;-)
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>