[{"author": "Richard Barnes", "text": "<p>happy last session of the day to people dialing in from non-Asian time zones <span aria-label=\"yawning face\" class=\"emoji emoji-1f971\" role=\"img\" title=\"yawning face\">:yawning_face:</span></p>", "time": "2023-03-28T08:00:00Z"}, {"author": "Benjamin Schwartz", "text": "<p><span class=\"user-mention\" data-user-id=\"526\">@Richard Barnes</span> Actually I think this is only the last session of the day if you _are_ in Asian time zones.  (4 AM here.)</p>", "time": "2023-03-28T08:01:02Z"}, {"author": "Richard Barnes", "text": "<p>fair point.</p>", "time": "2023-03-28T08:01:50Z"}, {"author": "Richard Barnes", "text": "<p>i was operating on logical asian days</p>", "time": "2023-03-28T08:02:03Z"}, {"author": "Andrew Campling", "text": "<p>Don\u2019t forget the evening side meetings</p>", "time": "2023-03-28T08:03:34Z"}, {"author": "Shivan Sahib", "text": "<p>sorry forgot to thank our amazing AD as well!</p>", "time": "2023-03-28T08:04:14Z"}, {"author": "Francesca Palombini", "text": "<p>No need :) but thanks</p>", "time": "2023-03-28T08:05:26Z"}, {"author": "Shivan Sahib", "text": "<p>baby shark</p>", "time": "2023-03-28T08:07:50Z"}, {"author": "Richard Barnes", "text": "<p>:notes::notes::notes::notes::notes::notes:</p>", "time": "2023-03-28T08:08:09Z"}, {"author": "Brian Trammell", "text": "<p>\"duo\" would be dns over udp over ohttp.</p>", "time": "2023-03-28T08:08:17Z"}, {"author": "Richard Barnes", "text": "<p>how is DoOH different from ODoH?</p>", "time": "2023-03-28T08:08:40Z"}, {"author": "Benjamin Schwartz", "text": "<p><span class=\"user-mention\" data-user-id=\"526\">@Richard Barnes</span> Emphasizing that this is \"Oblivious HTTP\", not \"Oblivious DNS\" (the research project from Nick Feamster's lab that started this ball rolling a few years ago).</p>", "time": "2023-03-28T08:09:45Z"}, {"author": "Richard Barnes", "text": "<p>Thanks @Benjamin</p>", "time": "2023-03-28T08:10:00Z"}, {"author": "Christopher Wood", "text": "<p><span class=\"user-mention\" data-user-id=\"2424\">@Benjamin Schwartz</span> can you elaborate on why \"dohpath\" consistency is different here? In my view, we just need consistency across (key, path) pairs, which is not much different from consistency across key values, or consistency across (key, path, protocol, pizza topping) tuples?</p>", "time": "2023-03-28T08:15:02Z"}, {"author": "Richard Barnes", "text": "<p>@Wood - to mic?</p>", "time": "2023-03-28T08:15:45Z"}, {"author": "Yoav Nir", "text": "<p>ACME challenges are not static metadata (and they go in .well-known</p>", "time": "2023-03-28T08:16:38Z"}, {"author": "Benjamin Schwartz", "text": "<p><span class=\"user-mention\" data-user-id=\"128\">@Christopher Wood</span> dohpath isn't specified in an HTTP resource, so a consistency protocol that is based on HTTP resources can't help us.</p>", "time": "2023-03-28T08:16:51Z"}, {"author": "Christopher Wood", "text": "<p>I don't see why that matters. It's just a blob like a key, no?</p>", "time": "2023-03-28T08:17:17Z"}, {"author": "Benjamin Schwartz", "text": "<p>As an example, DoubleCheck could not be used to verify dohpath, because DoubleCheck only applies to HTTP resources.</p>", "time": "2023-03-28T08:17:58Z"}, {"author": "Christopher Wood", "text": "<p>Hmm, that seems like an implementation detail to me.</p>", "time": "2023-03-28T08:18:18Z"}, {"author": "Benjamin Schwartz", "text": "<p>DNS and HTTP being not the same protocol is an aspect of implementation, but I wouldn't call it a detail.</p>", "time": "2023-03-28T08:18:50Z"}, {"author": "Christopher Wood", "text": "<p>Sure, sure. But I don't think it would be incredibly difficult to use the same protocol to address both.</p>", "time": "2023-03-28T08:19:40Z"}, {"author": "Matthew Finkel", "text": "<p>Most of the designs could be protocol agnostic if you have a proxy that can handle the target protocol</p>", "time": "2023-03-28T08:21:08Z"}, {"author": "Benjamin Schwartz", "text": "<p>I'm not sure the designs can be protocol agnostic even in an abstract sense, because DNS and HTTP have very different expectations about authenticity.</p>", "time": "2023-03-28T08:23:34Z"}, {"author": "Benjamin Schwartz", "text": "<p>But certainly as a concrete matter, I can't use an HTTP cache (as in DoubleCheck) to verify the consistency of a DNS record.</p>", "time": "2023-03-28T08:24:16Z"}, {"author": "Christopher Wood", "text": "<p>(I think Matt is saying what I was trying to say better)</p>", "time": "2023-03-28T08:24:41Z"}, {"author": "Benjamin Schwartz", "text": "<p>FWIW, DNS is _normally_ accessed through a shared caching \"proxy\" (the recursive resolver), so depending on your threat model it may be possible to convince yourself of reasonable consistency there without really defining anything new.</p>", "time": "2023-03-28T08:27:36Z"}, {"author": "Matthew Finkel", "text": "<p>I think Ben disagrees :) but I do agree that HTTP and DNS have different expectations and practical levels of authentication. If you move everything into a HTTP substrate and limit DNS to DoH, then we have different constraints and it might be okay. If you want Do53, then you'll need some other proxy/caching resolver that can provide a similar mechanism.</p>", "time": "2023-03-28T08:27:44Z"}, {"author": "Andrew Campling", "text": "<p>Is the lack of a current perceived need to rate limits a reason not to do this now to preempt a potential future requirement?</p>", "time": "2023-03-28T08:28:35Z"}, {"author": "Andrew Campling", "text": "<p>In other words, is there any harm in doing this work?</p>", "time": "2023-03-28T08:29:56Z"}, {"author": "Ted Hardie", "text": "<p>@Andrew  I think the point he's making is that we may need to see the attack before crafting the right response.</p>", "time": "2023-03-28T08:31:01Z"}, {"author": "Christopher Wood", "text": "<p><span class=\"user-mention\" data-user-id=\"2424\">@Benjamin Schwartz</span> shame you're not here so we can hash it out in person!</p>", "time": "2023-03-28T08:31:49Z"}, {"author": "Christopher Wood", "text": "<p>(We're missing you.)</p>", "time": "2023-03-28T08:31:57Z"}, {"author": "David Schinazi", "text": "<p>Doing the adoption call SGTM</p>", "time": "2023-03-28T08:37:18Z"}, {"author": "Christopher Wood", "text": "<p>If the adoption call fails, it wouldn't prohibit another adoption call in the future, would it?</p>", "time": "2023-03-28T08:37:24Z"}, {"author": "Ted Hardie", "text": "<p>@Christopher I never heard of such a one-strike-and-you're-out principle for adoption calls.</p>", "time": "2023-03-28T08:38:04Z"}, {"author": "Richard Barnes", "text": "<p>@chris not necessarily, no</p>", "time": "2023-03-28T08:38:09Z"}, {"author": "Shivan Sahib", "text": "<p>yes</p>", "time": "2023-03-28T08:38:11Z"}, {"author": "Francesca Palombini", "text": "<p>Thank you! Bye</p>", "time": "2023-03-28T08:38:11Z"}, {"author": "Shivan Sahib", "text": "<p>it would not*, I mean</p>", "time": "2023-03-28T08:38:19Z"}]