New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarification on Opportunistic with respect to dns://resolver.arpa #9
Comments
magicalo said...Can you clarify why dns://resolver.arpa would matter in an Opportunistic scenario, or at least in a subset of Opportunistic options. Couldn't a DNS client simply attempt DoH on the same IP address(es) as Do53 (ideally in parallel) Maybe I have misunderstood this section or the role dns://resolver.arpa would play here. Could you clarify please. |
tfpauly said...The purpose of the SVCB record information in the "opportunistic" scenario is getting extra metadata about the resolvers. This is particularly important or useful for DoH, where the URI path and HTTP authority would not otherwise be known. The client could guess, but it may not be able to form a valid HTTP request. The DoT ports, etc, could also be different, but that's often less useful. |
I apology for re-opening the discussion. opportunistic discovery for DoT When a client is advertised a nonpublic IP address for an unencrypted resolver. It seems that DoT in an opportunistic mode doesn't need that resolver.arpa request and that a clientHello is sufficient. If I am not missing anything, some text may describe this and specify that the additional DNS request is only needed for non DoT use cases - i.e. DoH for example. |
This is correct; however, this guidance helps to standardize an approach instead of leaving that "you can just try it" part unspoken. There is active discussion on this point being requested on the list @mglt so I think you contributing there would be appreciated. |
I don't see what's different here between our existing text:
|
Closing this with lack of discussion; the existing text covers how the SVCB record can be used and refers to RFC7858, which itself talks about how to do unauthenticated DoT (which requires no SVCB record). |
Issue migrated from DEER repo: tfpauly/draft-pauly-adaptive-dns-privacy#163
The text was updated successfully, but these errors were encountered: