Assuming that the host name must be a FQDN and not another
representation (say a wildcard e.g. "*.example.com") to me it appears
redundant to have both IP addresses and a host name and that having both
present really only mitigates a client making a Do53 query. It also
potentially permits scenarios like a network sending an option of an IP
address and host name, however the host name does not actually resolve
via any resolver to that IP address. It could also permit or encourage
more multi-horizon DNS being deployed in networks, a subject I have
generally negative views of.
Perhaps what is missing that would help steer this would be a threat
model around client DNS bootstrapping before we attempt to go one
direction or another?
Regards
On 08/05/2019 01:34, Martin Thomson wrote:
On Wed, May 8, 2019, at 07:07, Thomas Peterson wrote:
If a mechanism that facilitates certificate validation is important then
the only two options I believe we have are:
Yes, I believe that certificate validation is important, if not critical. As I
said earlier, the process by which a DoT (or DoH) server is contacted is
materially different than the network configuration process.
A: Providing a host name only within the option, and expect clients to
use Do53 to resolve it, performing host name validation against the
certificate CommonName or SubjectAltName.
B: Using IP address(es) only, with either Do53 option or this option
providing the IP addresses, in addition to a non-DNS related identifier
to facilitate certificate validation - perhaps the Serial Number,
Subject Key Identifier or some other field or a derived field of data.
Having an option with both a host name and IP addresses makes no real
sense to me.
I want to dig into this. How do you think that hostname + IP is nonsensical?
I am given a name and some candidate IP addresses for that name. The security
all hangs off the name, but I need the IP addresses to make a connection.
In a way it is not fundamentally different than your suggestion to include a
serial number or SPKI. The important difference is that TLS stacks know how to
deal with names and we have (elaborate) systems for ensuring that a host that
claims to control a name really does. A name allows us to use all that
infrastructure.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
