Re: [Add] meeting hum: should the IETF take up this work?

[Tommy Jensen <Jensen.Thomas@microsoft.com>]

> The IETF shouldn't take up work in reaction to non-technical (aka "policy") concerns about imminent deployment of an approved RFC

Those "non-technical" concerns have technical impact, so I fail to see why. DNS server feature discovery protocols, DoH enhancements, and DoH versus DoT preference are all technical topics in the IETF right now that would benefit from the "non-technical" perspective being brought up by many of us.

> Mozilla's presentation accurately stated that DNS is no longer an effective control surface. It can't be, given that HTTPS is ubiquitous, and one can use it to tunnel any protocol.

Michael summarizes my thoughts very well below. To that I'll add: DoH blocks middle boxes from exerting control, but changes nothing about how the RR the stub is reaching out to can exert control. For example, users of Quad9 and CleanBrowsing can use DoH today and are obviously still benefitting from DNS control via content filtering and malware avoidance. Nothing stops app-trusted DoH providers from doing the same thing.

Thanks,
Tommy
________________________________
From: Add <add-bounces@ietf.org> on behalf of Michael Sinatra <michael@brokendns.net>
Sent: Tuesday, July 23, 2019 3:35 PM
To: Rob Sayre <sayrer@gmail.com>; add@ietf.org <add@ietf.org>; Barry Leiba <barryleiba.mailing.lists@gmail.com>
Subject: Re: [Add] meeting hum: should the IETF take up this work?

On 7/23/19 3:09 PM, Rob Sayre wrote:
> Hi,
>
> The IETF shouldn't take up work in reaction to non-technical (aka
> "policy") concerns about imminent deployment of an approved RFC. In this
> case, it's DoH (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8484&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7C557e447caa8e4c0195c108d70fbe22b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636995181625289666&amp;sdata=C13WKC4in7qwck%2BzNF3v3TJMreWx%2BiOAaYqI2KFkAHc%3D&amp;reserved=0).
>
> Mozilla's presentation accurately stated that DNS is no longer an
> effective control surface. It can't be, given that HTTPS is ubiquitous,
> and one can use it to tunnel any protocol.

1. A primary motivation, according to previous discussions on this and
other mailing lists, for DoH is predicated on the *significant
effectiveness* of DNS filtering by oppressive governments.

2. A number of us have pointed out that DNS filtering is commonly used,
also quite effectively, by good guys, and that using DoH by default can
create noticeable collateral damage.

3. You have stated that DNS filter was never that effective, which then
calls into question the primary motivation for DoH.  See #1.

Such an argument--that DNS filtering works for bad uses but doesn't work
for good uses--uncannily mirrors the argument for weakening encryption:
Terrorists won't be able to use encryption, but law-abiding citizens can
still rest assured that online banking and e-commerce will be *just as
secure* as it was before encryption protocols were watered down with
backdoors.

Neither argument holds much water.

michael

--
Add mailing list
Add@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7C557e447caa8e4c0195c108d70fbe22b1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636995181625299654&amp;sdata=GvxuxPRLLV8sLJDeGAfEkdzGH7QGGfVnhUVQL2xMnmY%3D&amp;reserved=0