Re: [Resolverless-dns] [DNSOP] On today's resolverless DNS meeting
Dave Lawrence <tale@dd.org> Wed, 07 November 2018 13:21 UTC
Return-Path: <tale@dd.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2EC12D4EA for <resolverless-dns@ietfa.amsl.com>; Wed, 7 Nov 2018 05:21:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0fwQqMKf3gt for <resolverless-dns@ietfa.amsl.com>; Wed, 7 Nov 2018 05:21:18 -0800 (PST)
Received: from gro.dd.org (gro.dd.org [207.136.192.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B9301274D0 for <resolverless-dns@ietf.org>; Wed, 7 Nov 2018 05:21:18 -0800 (PST)
Received: by gro.dd.org (Postfix, from userid 102) id 348C9323D6; Wed, 7 Nov 2018 08:21:17 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23522.59085.197570.559585@gro.dd.org>
Date: Wed, 07 Nov 2018 08:21:17 -0500
From: Dave Lawrence <tale@dd.org>
To: resolverless-dns@ietf.org
In-Reply-To: <20181106102731.GA5280@naina>
References: <20181106102731.GA5280@naina>
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/97-yEaTHx9N3BF3dBvEt9zrh2gU>
Subject: Re: [Resolverless-dns] [DNSOP] On today's resolverless DNS meeting
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 13:21:21 -0000
Redirected from {dnsop,doh}@ietf.org, so the whole message is appended, something I am normally loathe to do. The part I'm focused on is this: > The webpage can tell the browser to fetch the img resource from > anyplace it wants to - it can very well specify an IP address > instead of the hostname - the webpage controls it. You're right that this can be done, and has been sometimes in the past. It only works in simple cases, though, which means it would fail an awful lot on the modern Internet if that resource is hosted on a machine which needs Host:/SNI to work correctly. Go ahead and try it with whatever you've got open in your browser now. I just did it with https to facebook.com, google.com, and en.wikipedia.org, and got NET::ERR_CERT_COMMON_NAME_INVALID or NET::ERR_CERT_AUTHORITY_INVALID. Plain http to vhosted sites also has problems with identifying the correct objects. Yes you can come up with more ways to make it work, but they're gross too, surely more so than being able to have trustworthy name to address mappings. Mukund Sivaraman writes: > Hi all > > It seemed that the objective (or an objective) of what is desired is for > a webpage to have an <img src=""> and also push an address record for > the hostname in the src URL. > > We talked about DNSSEC and certificate signing and such. If the host > serving this webpage to the browser has control over the webpage's > content (e.g., the contents of that src attribute), and the webpage's > contents are already authenticated by TLS, then why does an address > record have to be separately authenticated? > > Why can't the webpage contain the addresses of the hostname in the URL, > in another attribute of that element? Does it have to be separately > signed via DNSSEC and certificates? The webpage can tell the browser to > fetch the img resource from anyplace it wants to - it can very well > specify an IP address instead of the hostname - the webpage controls > it. Why can't it, for *that* element, provide the target address in an > attribute without any additional signatures, given that the webpage's > content itself is authenticated via TLS? > > Mukund > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [Resolverless-dns] [Doh] [DNSOP] On today's r… Justin Henck
- Re: [Resolverless-dns] [Doh] [DNSOP] On today's r… Ben Schwartz
- Re: [Resolverless-dns] [DNSOP] On today's resolve… Dave Lawrence