On Thu, Mar 21, 2019 at 3:03 PM Jacques Latour <jacques.lat...@cira.ca>
wrote:

> Plus!
> Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC?  So
> the local resolver and apps and browsers can go the _appropriate_ name
> resolution resource(s) using the protocol of choice. That would be much
> simpler for default configuration in enterprise and ISP.
>
>
I think that is a good starting place for the side meeting discussion.

However, I think a more expressive configuration might be needed, to
actually provide information to clients for them to configure themselves
and/or make decisions.
E.g.: In DHCP, provide one or more of the following kinds of announcements
or assertions:
- ISP does not allow use of DoH to off-net providers (aka DoH:NONE)
- ISP allows use of DoT to off-net providers (aka DoT:ANY)
- ISP provides a DoT server which inspects DNS queries and/or answers, but
does not record or export any information (aka DoT:<IP>,PRIVACY:YES)
- ISP provides a DoH server which inspects DNS queries and/or answers, and
records and exports per user data, keeping data for N days (aka DoH:<IP>,
PRIVACY:NO, RECORD:N)
- ISP provides validating DNSSEC UDP only (aka DNSUDP:<IP>, DNSSEC:VALIDATE)
- ISP provides non-validating DNSSEC UDP, allows TSIG (aka DNSUDP:<IP>,
DNSSEC:NOVALIDATE, TSIG:YES)
- any other relevant stuff (DNS cookies, TCP stateful, all the newest and
shiniest stuff.)

- Then, a client could pick and choose among available options, based on
some kind of pre-configured preferences, like REQUIRE:PRIVACY,
PREFERENCE:DoT,DoH,DNSSEC,DNS, USE:TSIG, BLOCK:RECORD.

I realize, expressiveness adds complexity. However, it does avoid
assumptions and overloading.

The main criteria is agreement on client vs server (i.e. standardize this
stuff), and possibly also add the network as another party involved (for
upstream transit ISP vs local ISP), if they have differing policies for
allowing offsite/third-party DoH or DoT.

Brian



> >From: DNSOP <dnsop-boun...@ietf.org> On Behalf Of Ralf Weber
>
> >You can not get on a network with at least trusting some of its
> infrastructure, be
> >it SLAAC or DHCP (which BTW both carry information for DNS resolving). The
> >question is where you draw the line and IMHO DNS or name resolution is a
> basic
> >network function and not an application setting.
> >
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to