Re: [Add] Mozilla's DoH resolver policy
Ben Schwartz <bemasc@google.com> Tue, 16 April 2019 18:20 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD4412010C for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 11:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FF57YK-T6B8f for <add@ietfa.amsl.com>; Tue, 16 Apr 2019 11:20:42 -0700 (PDT)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10D9412011C for <add@ietf.org>; Tue, 16 Apr 2019 11:20:42 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id s2so12119341vsi.5 for <add@ietf.org>; Tue, 16 Apr 2019 11:20:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xLqWr1foNBCiTWuXmLzF4HxigCGFuvQUgWNUkx7w5Hg=; b=jUp7yL5qLIovdFeqVY4o1mdH+FUi/vhHoPS4L6bxQLXBvuwKxELA27QKPp/VXshaid AGoC6Iihi2Vfo7HuJ54XhszKUcju5zDy+d9bOUFm2M+mm2iaoPaE673feiOYXwuA22gN EZH8iOLIkSvcMmkrwjJeidDP6VQlljG6ILBG6DUa92H1p3ElmVY+WinDWs1Urzvo79SU 1CAdNrNwBLjck4BlVnvLYIB66taV30chkQQ10P+5JG/yIoqVCK+kdYaC0o7kHaAUP3Fo XOd6BMkFRQY7aLJ1Kk73y0VylbAelOF6PL9fmhdXTOca91RADRQO9fHDT6UROTCIzjC6 3lqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xLqWr1foNBCiTWuXmLzF4HxigCGFuvQUgWNUkx7w5Hg=; b=hkXb421D6T1Ls4NUbt1cUs9GVCrhN2tm3yORgo31a2FrAXegXDvPDRWV3MEidEsxxn fgsgy6GecuUvRCLvOjCbZmYkTwCHwDP713Qwi3W/mYwI3bVRW2I3rOtylQwhkfbax1VV +XvnNkx09IlhepZwF3L6Ajg/RRMQcVhTAg6hnOXucrxQo6bl6umtKGCgN2SbSabAn2tg DyNP7721VF8PxFSZnOJ4XJbe+lGz86JMEJrtcwZY1lcv3IK9C5MpFQkoB5HxKgwX5W5a cFlLmyhGy35pXjqpf8QntSNdAOw/P+hJk5MnxXnH3H1BOXCf799mPUCdtugU4tX8drYr 6xWw==
X-Gm-Message-State: APjAAAUAF9wf3a/dtQrmY7YXcZkq3Ok2fqONyx1JUCsp/kGGKpS0dRxW r4vDzfw4x/WxFhdobm3+UtFNi20V3PjynfEAb3Qx7g==
X-Google-Smtp-Source: APXvYqyHJV0mYORVAF7xRAZSyqqm8eMD2dJD74VNyRQ43GyxvuHWp2xzsJGtiGwWNL+smKqzNzTChkwq6wYmU/DAOsE=
X-Received: by 2002:a67:f305:: with SMTP id p5mr45842800vsf.191.1555438840738; Tue, 16 Apr 2019 11:20:40 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <21C5261E-9DE0-4CFD-A949-6E91DD0C2552@cable.comcast.com> <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com>
In-Reply-To: <9FDAE487-6E98-4332-BB57-A626A02A6402@cable.comcast.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 16 Apr 2019 14:20:28 -0400
Message-ID: <CAHbrMsDqh4cf3hYKoir6h3ykV7QiCk1yTXYX7s0x2p7e9A=qqg@mail.gmail.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: Peter Saint-Andre <stpeter@mozilla.com>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000009a10900586a9d3a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Ea_LHEWbfJWCudJ1PJeJQeUvan0>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 18:20:44 -0000
On Tue, Apr 16, 2019 at 12:00 PM Livingood, Jason < Jason_Livingood@comcast.com> wrote: > And for ease of any replies, I have a separate question on CDN > localization via ECS. The 6th privacy requirement suggests that ECS cannot > be used unless there is encryption between the resolver and the > authoritative server, presumably via DoT. This suggests that the privacy > concern isn't that the network/geographic hint provided by ECS is > problematic in and of itself, but that it should not be observable along > the network path used in recursion. > > But if TRR-to-auth recursion is not available via DoT, I wonder what the > recommended mechanism is for providing a more privacy-protective > network-geographic hint to an authoritative server, in order for example > for a CDN to dynamically respond with a localized response. Maybe something > new needs to be standardized? What options do folks suggest? > The "exit IP" of a widely-distributed large-scale resolver service is such a network-geographic hint, with the level of granularity (and privacy) depending on the scale and architecture of the resolver service. I think the question of whether we can improve on ECS is interesting, but I would encourage you to follow up in DPRIVE or DNSOP, rather than this ADD list, since that question is equally relevant regardless of whether the query is originated by an application. Thanks > Jason > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Martin Thomson
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Jim Reid
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
- Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
- Re: [Add] Mozilla's DoH resolver policy Ray Bellis
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy nusenu
- Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
- Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
- Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Ted Hardie
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] Mozilla's DoH resolver policy Mark Andrews
- Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
- Re: [Add] Mozilla's DoH resolver policy Salz, Rich
- Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Mark Delany
- Re: [Add] Mozilla's DoH resolver policy Christian Huitema
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Geoff Huston
- Re: [Add] Mozilla's DoH resolver policy Ralf Weber
- Re: [Add] Mozilla's DoH resolver policy Paul Wouters
- Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] ECS privacy concerns, alternatives? Joe Abley
- Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
- Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
- Re: [Add] Mozilla's DoH resolver policy Adam Roach
- Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
- Re: [Add] ECS privacy concerns, alternatives? Erik Kline
- Re: [Add] ECS privacy concerns, alternatives? Brian Dickson