Re: [Driu] [DNSOP] Resolverless DNS Side Meeting in Montreal

Philip Homburg <pch-dnsop-3@u-1.phicoh.com> Tue, 10 July 2018 09:09 UTC

Return-Path: <pch-bCE2691D2@u-1.phicoh.com>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72413130E1D; Tue, 10 Jul 2018 02:09:22 -0700 (PDT)
X-Quarantine-ID: <N3Xv3bvsMMYr>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3Xv3bvsMMYr; Tue, 10 Jul 2018 02:09:20 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAE27130E14; Tue, 10 Jul 2018 02:09:19 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1fcoe5-0000GuC; Tue, 10 Jul 2018 11:09:17 +0200
Message-Id: <m1fcoe5-0000GuC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Patrick McManus <pmcmanus@mozilla.com>
Cc: DoH WG <doh@ietf.org>, driu@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
From: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
Sender: pch-bCE2691D2@u-1.phicoh.com
In-reply-to: Your message of "Mon, 9 Jul 2018 22:49:25 -0400 ." <CAOdDvNp0S5-aEzy4ziqVvL1Kd+V79nD49_Zuo1dLoThXYP7nFg@mail.gmail.com>
Date: Tue, 10 Jul 2018 11:09:16 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/1UOp6Ui3LIyIr_KOR2Yp5hOSb_s>
X-Mailman-Approved-At: Tue, 10 Jul 2018 07:14:51 -0700
Subject: Re: [Driu] [DNSOP] Resolverless DNS Side Meeting in Montreal
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 09:09:23 -0000

>For example www.example.com pushes you a AAAA record for img1.example.com.
>Should you use it? What if it is for img1.img-example.com ? Do the
>relationship between these domains matter? What kind of relationship (i.e.
>it could be a domain relationship, or in the context of a browser it might
>be a first-party tab like relationship, etc..)? What are the implications
>of poison? Trackers? Privacy of requests never made? Speed? Competitive
>shenanigans or DoS attacks?
>
>This was out of scope for DoH.

Assuming that in the context of DoH reply size is not an issue, is seems to
me that this use case is already solved by DNSSEC. Just push all required
signatures, key material and DS records that allow the receiving side to 
validate the additional information.

Are you trying to re-invent DNSSEC for people who don't want to deploy
DNSSEC?