IETF Logo Mail Archive

[Add] point of deploying DoH in access network (Re: meeting hum: should the IETF take up this work?)

神明達哉 <jinmei@wide.ad.jp> Thu, 01 August 2019 18:38 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD4F1201B3 for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.694
X-Spam-Level:
X-Spam-Status: No, score=-1.694 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.201, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDiK1qXWvz2Y for <add@ietfa.amsl.com>; Thu, 1 Aug 2019 11:38:45 -0700 (PDT)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 178801201DA for <add@ietf.org>; Thu, 1 Aug 2019 11:38:23 -0700 (PDT)
Received: by mail-wm1-f43.google.com with SMTP id 207so65599770wma.1 for <add@ietf.org>; Thu, 01 Aug 2019 11:38:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9HZc1kxHLDJ77gV+WQ1ngakleVfOOOY/03CtiPpqDBU=; b=r0t07v1/bs2MYNYs8tsGVBYT6DVX6tgG9qNboDm1PRXxT6a1kmS/TDv73Om3rTMRdx lmQMazVdzZfsUKw8eleWxBxJ+dnAaKwJ4L0jxyyflpqFzwCHemwWe6dyTF5gOx9Vcu8F g9fkhnvT0c6/K4Svp4e9I3614yjwvpYuOrMjRC241YW6Ev6N44tNDvMVFMtsJctcM+HN Ugq176XqQjmTrr5UfMxQqEJSgVMDDtmw45BUYUiyVJUj90Jd5gIDZPUneIkq0M7t0X07 rIc9YeYAdXAv/NIiTNulX5aFvQnco91YmmjGJUOxZO7C0AkN3Y7DPerjqUZA2lplH0sZ yxRg==
X-Gm-Message-State: APjAAAWT0iZpHeDNllrleyA3oyWXARcZKUjss26Ttr68GGTS6PnXjjAm f0lYVAYYAvLfmwJB5FwmwwqguniVW2DD69wR+2g=
X-Google-Smtp-Source: APXvYqxoOssQvN7Jcb7rzJEW4pQrRU1fVELwp1/GxPRPDp4V64QRPucV3HFkTS6gmw8wIj/zDjB0t1Eb0pvT2fkGBfg=
X-Received: by 2002:a05:600c:224d:: with SMTP id a13mr135953wmm.62.1564684701220; Thu, 01 Aug 2019 11:38:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <20190724171549.GD29051@laperouse.bortzmeyer.org>
In-Reply-To: <20190724171549.GD29051@laperouse.bortzmeyer.org>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Thu, 01 Aug 2019 11:38:10 -0700
Message-ID: <CAJE_bqf=9r5yvCMY+CGuXMQBCNY+a-RFQTzjJ83wOtawhUHR0g@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: "STARK, BARBARA H" <bs7652@att.com>, "add@ietf.org" <add@ietf.org>, Barry Leiba <barryleiba.mailing.lists@gmail.com>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000cd473a058f128b56"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/4CPhI7XUIjfbw-hLlRTu1i7B3wk>
Subject: [Add] point of deploying DoH in access network (Re: meeting hum: should the IETF take up this work?)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 18:38:47 -0000

At Wed, 24 Jul 2019 13:15:49 -0400,
Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> > I’m also trying to understand why there seems to be resistance to
> > providing ISPs with advice on deploying DoH.
>
> I'm tempted to say that I don't see the point for an access network to
> deploy DoH. If the network is safe, DoH is not really necessary
> (paranoid may use DoT, since the access network can ensure that port
> 853 is clear). If it is not, for instance because the resolver
> modifies the answers, then users will want to bypass it, anyway.
>
> My guess is that DoH operators will be different from access network
> operators.

I've been wondering about this, too.  Although DoH has some other
(potentially) cool features like "push", my understanding is that its
primary and much more important purpose is to hide DNS resolution
attempts in a normal HTTPS connection that is also used for normal,
popular web services.  And (again in my understanding) the point here
is to make it very hard and mostly impossible for an intermediate
player to even block the resolution (because such a player can't do
this without also blocking the "popular web service", which such a
player is assumed to not want/afford to do).  I don't see why a
resolver in "an access network" needs this capability.  Could someone
enlighten me about what I'm missing?

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email