> On Aug 20, 2018, at 9:11 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > On 20 Aug 2018, at 17:47, Tom Pusateri wrote: > >>> On Aug 20, 2018, at 12:42 PM, Tony Finch <d...@dotat.at> wrote: >>> >>> Marek Vavruša <mvavrusa=40cloudflare....@dmarc.ietf.org> wrote: >>>> >>>> https://github.com/vavrusa/draft-dhcp-dprive/blob/master/draft-dhcp-dprive..txt >>> >>> This is interesting to me because I want to support DoTH on my campus >>> resolvers. >>> >>> Regarding DoH, the DHCP option ought to include a URI template (there >>> isn't a .well-known for DoH). I plan to set up my servers so that >>> misdirected attempts to get web pages from the DoH server are redirected >>> to the relevant documentation; that's much easier if the DoH endpoint >>> isn't at the server root. >> >> Our variant of this same idea that Willem Toorop and I presented at the DRIU >> BOF in Montréal has a URI for the DoH case: >> >> https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00 >> <https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00><https://tools..ietf.org/html/draft-pusateri-dhc-dns-driu-00 >> <https://tools.ietf.org/html/draft-pusateri-dhc-dns-driu-00>> >> >> But let me remind everyone that there was a lot of people agreeing with Ted >> in Montréal and so far, Ted appears to be standing all by himself. >> >> Where are all the other folks that shot down this idea earlier? :) > > Judging what was said at an excited mic line is always challenging. :-) Two > issues are being conflated here: > 1) a DHCP option to include a URI template > 2) how the DHCP client in an OS would use that option > > DHCP options are easy and cheap. However #2 was vexing. The proposal that an > OS say "oh look, there is a DoH server, I'll use that because it is more > secure than Do53" was what was controversial because of the utter lack of > DHCP security. Some of the folks on the mic line disagreed with the > assumption that, given two pieces of insecurely-acquired information (a Do53 > address and a DoH template) that the latter would result with a more secure > connection. A network admin can see the port 53 traffic and see if there's > crap in there; they can't see the inner DoH traffic. > > --Paul Hoffman
Yes, this was one good point. Another point I remember most clearly is that DHCP has fallen out of favor for communicating all but the most minimal network bootstrap configuration information. There was general agreement in the room that you only should use DHCP in IPv4 for address/router info and then use trusted sources for everything else. In IPv6, SLAAC generally provides this. One more point (from the Android crowd) was that they are going to try to connect to the DNS server’s IP address using port 853 using DoT at the same time they are trying to resolve names over port 53 with UDP. If they’re able to make a DoT connection, they’ll use it. This doesn’t provide for a way to have an ADN to verify the certificate but a PTR query can give you a name to do certificate validation and/or DANE validation. So they seemed to be making the point that no DHCP extensions were necessary. Tom
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
