For DoT and Do53 are similar enough that they can use the same IP address and the DoT configuration only contains a target name. There is a problem with the first in terms of signaling that DoT is present, but that the server will be using an IP certificate. I don't know what the answer is there. I'd first try to see if requiring a name works.
I certainly think that one name is sufficient. Multiple IP addresses might be useful, but they can all answer to the same name (at least for the same provisioning domain). DoH is different, and I think that your other draft is right in saying that you just have to use Do53 (or even DoT, though why you would...) to find the IP address for that name. On Sun, Apr 28, 2019, at 21:12, Thomas Peterson wrote: > Thank you for the feedback. > > I agree with your suggestion around having host names and pins present > in the response and I'll have a think what it might look like - > suggestions here or on Github[0] welcome. > > However I disagree that combining both DoT and DoH is appropriate - to > me they are different protocols and I am concerned around complexity and > size limitations (particularly for DHCPv4) that would be needed. > > Regards > > > 0: https://github.com/thpts/draft-peterson-dot-dhcp > > On 2019/04/28 4:12, nusenu wrote: > > Thomas Peterson: > >> In a recent discussion in the DoH mailing list around a draft that > >> describes resolver discovery, Martin Thomson made the suggestion[0] > >> to use DHCP and RA options instead to transmit both DNS over HTTP > >> resolver addresses, but more relevant to this WG also DNS over TLS > >> endpoints as well. I have published draft-peterson-dot-dhcp, which > >> describe the relevant DHCPv4, DHCPv6, and RA options to support > >> this. > > [...] > >> 0: > >> https://mailarchive.ietf.org/arch/msg/doh/A2YthHjFwwwpC3d0MrOm1-syH48 > > Thanks for starting this I-D. > > > > from the I-D: > >> Length: Length of the DNS Servers list in octects > >> > >> DNS Servers: One or more IPv4 addresses of DNS servers > > The I-D currently only contains IP addresses, not names as > > proposed by Martin: > > > > To quote Martin Thomson's email: > >> 2. We add a field to DHCP and RA that carries the "DoT resolver". > >> When this is present, the client resolves this name using the > >> resolver. This resolution is unsecured. The client then connects to > >> the resulting IP address and validates the certificate it presents > >> using this name. This enables easier deployment of DoT because a > >> certificate for a name is easier to get than an IP certificate (it > >> also enables use of 1918 address and the like). > > So I'd suggest to have multiple fields: > > - IP address (optional) > > - name (for PKIX verification) (optional) > > - SPKI pins? (optional) > > > > I'd like to see a single document covering DoT and DoH > > DHCP/RA options (as Martin Thomson suggested) > > instead of two documents doing the same thing > > for each protocol separately. > > > > kind regards, > > nusenu > > > > > > > _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
