> On Dec 15, 2019, at 11:06 PM, Martin Thomson <[email protected]> wrote: > > On Mon, Dec 16, 2019, at 13:40, Tom Pusateri wrote: >> >> >>> On Dec 15, 2019, at 7:35 PM, Martin Thomson <[email protected]> wrote: >>> >>>> So, let's back up a step: are people interested in using DHCP and RA as >>>> part of the discovery story here or not? >>> >>> I am. >>> >>> I tend to think that >>> https://thpts.github.io/draft-peterson-dot-dhcp/draft-peterson-dot-dhcp.html >>> is a reasonable start here. Sure, it makes some assumptions, and leaves >>> some of the harder 8310-style questions unanswered, but that's where I >>> think we should be paying more attention anyway. >> >> This is at least the fourth list that DoT discovery over DHCP has been >> discussed (see DoH, DNSOP, and DRIU). >> >> In the previous three times, it was rejected as not a trustworthy source. > [...] >> https://www.youtube.com/watch?v=cfEX8zuoRAA >> <https://www.youtube.com/watch?v=cfEX8zuoRAA> > > I refreshed my memory here and I my interpretation of Ted's presentation is > perhaps different than what you took away. I could make one of two > inferences: > > 1. Don't allow the network to configure DNS. You can't trust it. > > 2. Be clearer about the trust model when you allow the network to provide > this information. > > There was a bunch of other noise about the shortcomings of DHCP, but this was > the central point. > > The first might be read as a firm argument for certain DoH deployment > arrangements. Arrangements that have proven to be highly controversial. Your > own introduction to the next presentation acknowledges the shortcoming and > even identified a trust model or two that might fit within the remit of the > second option.
My take-away was that it was ok to use DHCP to bootstrap but then a host should then establish trust in other ways. Maybe this was the result of other discussions in combination. The Android folks seemed happy with using the existing DHCP DNS server information and attempting to connect to that server over port 853 for DoT at the same time as sending queries to port 53 and preferring the TLS connection if it was available. This required no new DHCP options. I was under the impression this is how most clients were going to proceed. Thanks, Tom
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
