Re: [Doh] [Ext] IP address certificates
"Martin Thomson" <mt@lowentropy.net> Sun, 17 March 2019 22:57 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB841311F8 for <doh@ietfa.amsl.com>; Sun, 17 Mar 2019 15:57:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=dF4K76ri; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=dClan/S8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggpwQx258cD1 for <doh@ietfa.amsl.com>; Sun, 17 Mar 2019 15:57:14 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DDC6130E89 for <doh@ietf.org>; Sun, 17 Mar 2019 15:57:14 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 55E4920241; Sun, 17 Mar 2019 18:57:13 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Sun, 17 Mar 2019 18:57:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=CKD4uRbMu2rbfukeTyaJ5WyvBgeX WLPc7NQBexwAsIo=; b=dF4K76ri1G4J7CohfLurRQWyNIwuJo2IOa6+sPWSUV90 fjMG2e6GFjeyuA3YOaK6UoL6mMJGWq6SSALb7k6Oo7YVLM/J2EalV2VBcZ4WcLg+ WNWFKg8szpNJ/YmdA4/9cV+qEHYtRJPXlHoBmdUkh7sB0XX0li9xBlfgDsWhScBQ tgnoW+Atfq0My62tg0qcNG4D9NRq8ohN2M0l1gAVz5VGHYjBCdNPcnAQypVWKJZ1 4hSuSLdCqBIu3S0kdmRtHjotj3FZDq6rHJwT3ySn4z2emn0x+Q9kL/CSTYUZ6SoT V0Ag9kSpunvoz1qzU2BP3ccd0QEZRuKp6ToDWoOGZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=CKD4uR bMu2rbfukeTyaJ5WyvBgeXWLPc7NQBexwAsIo=; b=dClan/S8ySSAg5u3TcVqIc JN2GBLw7dxrZh/rNnUntCNqoRC1ldxjMTkGghW7Al2lR8aFhJjyjuGKKDRfs2E+8 1NFkTP+Dx2PHnukDGDu1beY1nztE6gpYOOkeEhPsLkthi7K8pKAxRArj/nny+/08 LND61IWKdcJmc18pVvdf0YMfpTZbXR3M/n5JJ+/8ZefEuwz8a6dQlErTAa0/q2ZY ITd4XofXsMnA3UMTckFzOV1YqC9G6GS3DN3zV+LKHEdlTNMEdoE1xzxgrONXYgVV PLoPuCMtbXLWxbyfC/WEAYhgm8e54GfTpbwePUy+FXf51Zqpk3tr53/tzltgoCMg ==
X-ME-Sender: <xms:yNCOXPOeQLU5Sv1j82lO4Wo-3JvhmQTogLqMrNH23xCDNSQQW_PVPA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddriedtgddthecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucfrrg hrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthenucevlhhu shhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:yNCOXFipjYtQxjwcmqUQTONbe7L11xiwgy-JUoPV73OtZBikHlkCyA> <xmx:yNCOXFh0ZVN4EYwbjnGwsGquOsoL_rd1WuT8sexRDqQBkgoE_x_slA> <xmx:yNCOXMHcrYkftd2jbnBS15Dn9Emf8Iyn3-e2Dm0amda0QTGxFcaHmw> <xmx:ydCOXI3LeyQDurRmmRyvu82yoOw62wJDIHQRdYzM41vx1Z7sv-lndw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7826A7C651; Sun, 17 Mar 2019 18:57:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-976-g376b1f3-fmstable-20190314v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <9d99cf89-a62c-467f-9ff1-887ac27a5221@www.fastmail.com>
In-Reply-To: <A4091E6C-6521-4CBF-A6BD-3CAB7E3B51E1@icann.org>
References: <CAHbrMsCNyeabhk0sVexOHVedVkgG2dvV9T8wWL++om5juAUvEw@mail.gmail.com> <ED16E0D8-BBCB-4316-A116-BA8513F523A3@sky.uk> <F680895B-2BCA-48D9-8C28-C34E93BF73A3@icann.org> <2cbff385-7e78-452d-b82d-08acf56ab4df@www.fastmail.com> <A4091E6C-6521-4CBF-A6BD-3CAB7E3B51E1@icann.org>
Date: Sun, 17 Mar 2019 18:57:15 -0400
From: Martin Thomson <mt@lowentropy.net>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "doh@ietf.org" <doh@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/zvVC1H9Uhxy1V8AiyNC5_DQfr5M>
Subject: Re: [Doh] [Ext] IP address certificates
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 22:57:16 -0000
On Mon, Mar 18, 2019, at 07:51, Paul Hoffman wrote: > Do you feel that they are useful or useless for the protocol in > draft-ietf-doh-resolver-associated-doh that lets a resolver advertise > its related servers? It will depend on deployment context whether they can be used. You have to have an IP address that meets the conditions set out in draft-ietf-acme-ip, which means minimally no RFC 1918 or LLA/ULA. I don't think that I'm comfortable recommending a design that doesn't allow for names, unless we can get pretty wide agreement from networks saying that this is feasible in their deployment, even if (and perhaps especially if) they are not currently consdering DoH deployment. Even if we had names, it's not clear that getting certificates for those names is easy. BTW, neither IP address certificates nor names work for the device that ostensibly offers DNS resolution on the network I am in right now. That means that the third-party service is the only option that is likely to work in most private premises and small offices. That might reduce the pressure on this mechanism.
- [Doh] Reviewing Resolver-Associated DOH Ben Schwartz
- Re: [Doh] [EXTERNAL] Reviewing Resolver-Associate… Winfield, Alister
- Re: [Doh] [EXTERNAL] Reviewing Resolver-Associate… Winfield, Alister
- Re: [Doh] [EXTERNAL] Reviewing Resolver-Associate… Loganaden Velvindron
- Re: [Doh] [EXTERNAL] Reviewing Resolver-Associate… Winfield, Alister
- [Doh] IP address certificates Paul Hoffman
- [Doh] Use of TXT records Paul Hoffman
- Re: [Doh] Use of TXT records Ben Schwartz
- Re: [Doh] Reviewing Resolver-Associated DOH Hewitt, Rory
- Re: [Doh] Use of TXT records Hewitt, Rory
- Re: [Doh] Use of TXT records Ben Schwartz
- Re: [Doh] Use of TXT records Hewitt, Rory
- Re: [Doh] [EXTERNAL] Reviewing Resolver-Associate… Adam Roach
- Re: [Doh] Use of TXT records Eliot Lear
- Re: [Doh] [Ext] Use of TXT records Paul Hoffman
- Re: [Doh] Reviewing Resolver-Associated DOH nusenu
- Re: [Doh] Reviewing Resolver-Associated DOH nusenu
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Paul Hoffman
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH nusenu
- [Doh] Talking to my resolver Martin Thomson
- Re: [Doh] IP address certificates Martin Thomson
- Re: [Doh] [Ext] IP address certificates Paul Hoffman
- Re: [Doh] [Ext] IP address certificates Martin Thomson
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Martin J. Dürst
- Re: [Doh] Talking to my resolver nusenu
- Re: [Doh] Talking to my resolver Martin Thomson
- Re: [Doh] Talking to my resolver Ben Schwartz
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Hewitt, Rory
- Re: [Doh] Talking to my resolver nusenu
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH nusenu
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Hewitt, Rory
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Mark Nottingham
- Re: [Doh] Talking to my resolver Ben Schwartz
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Hewitt, Rory
- Re: [Doh] [Ext] Reviewing Resolver-Associated DOH Adam Roach
- Re: [Doh] security goals nusenu
- Re: [Doh] [Ext] security goals Paul Hoffman
- [Doh] DoH discovery security goals nusenu