Re: [dns-privacy] Fwd: New Version Notification for draft-peterson-dot-dhcp-00.txt

Sun, 28 Apr 2019 04:13:05 -0700 

Thank you for the feedback.
I agree with your suggestion around having host names and pins present in the response and I'll have a think what it might look like - suggestions here or on Github[0] welcome. 


However I disagree that combining both DoT and DoH is appropriate - to 
me they are different protocols and I am concerned around complexity and 
size limitations (particularly for DHCPv4) that would be needed.


Regards


0: https://github.com/thpts/draft-peterson-dot-dhcp

On 2019/04/28 4:12, nusenu wrote:

Thomas Peterson:

In a recent discussion in the DoH mailing list around a draft that
describes resolver discovery, Martin Thomson made the suggestion[0]
to use DHCP and RA options instead to transmit both DNS over HTTP
resolver addresses, but more relevant to this WG also DNS over TLS
endpoints as well. I have published draft-peterson-dot-dhcp, which
describe the relevant DHCPv4, DHCPv6, and RA options to support
this.

[...]

0:
https://mailarchive.ietf.org/arch/msg/doh/A2YthHjFwwwpC3d0MrOm1-syH48

Thanks for starting this I-D.

from the I-D:

Length:  Length of the DNS Servers list in octects

DNS Servers:  One or more IPv4 addresses of DNS servers

The I-D currently only contains IP addresses, not names as
proposed by Martin:

To quote Martin Thomson's email:

2. We add a field to DHCP and RA that carries the "DoT resolver".
When this is present, the client resolves this name using the
resolver.  This resolution is unsecured.  The client then connects to
the resulting IP address and validates the certificate it presents
using this name.  This enables easier deployment of DoT because a
certificate for a name is easier to get than an IP certificate (it
also enables use of 1918 address and the like).

So I'd suggest to have multiple fields:
- IP address (optional)
- name (for PKIX verification) (optional)
- SPKI pins? (optional)

I'd like to see a single document covering DoT and DoH
DHCP/RA options (as Martin Thomson suggested)
instead of two documents doing the same thing
for each protocol separately.

kind regards,
nusenu





_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy






















					Reply via email to