IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 25 July 2019 02:19 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309C412017E for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 19:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8r1FajaQysRO for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 19:19:11 -0700 (PDT)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A80212015E for <add@ietf.org>; Wed, 24 Jul 2019 19:19:11 -0700 (PDT)
Received: by mail-ua1-x933.google.com with SMTP id g11so19232534uak.0 for <add@ietf.org>; Wed, 24 Jul 2019 19:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pa0gsjrXKUn7dI18SQUnc2zd1qW39C3E6VPxWzbdv80=; b=oS7N18K6+CvRa6su4v/Bpm9Wuj52DTuZezUzYmy+fzSeKQc7ixpm1DPisac+5U2Xfb Kt5xFOgk7Mg1aFdO/hdbwBpvx1L0qboxeddrOPuN/YCvWiISSsxT9EsChkZLDeiswgGd DmuyxKaShnRVov/th/BvCcPAqpUt0a3wWMo5s9+RlBWvbxFIgMR3SPGY69F37P7fq5Xp KwOqMsB32I8/X6cIuO2nc8Ft96hzW1C2vA/WpbPVMJc92hNEG5HgvC1q4kFMYV7uvOiu ba4LeBzicwSaGqau+Oq/rBv8JPMqUJLQrVK37BadXWZa4HTRT2Nka8VRQTr7t+5p3yBe UEpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pa0gsjrXKUn7dI18SQUnc2zd1qW39C3E6VPxWzbdv80=; b=BeczQBfDij1blC0kcEtFllSKjiKS/k3qxMDzz5oQNhbR67WFKpOZSPRf79YSoqbIbh wMW2sH5fw+BSgle61D9ryQkro1uupB/gJ9fLuR2hFuuHjd/Elh+JCRk6LdftMq1hitLu pRod3IrUIh5AKqQssqC8geKQO68u3nJbKgyzToUCFmnvDrUd0DDDyB6u6nhwwxRebpmS M/7oMsE3iT7qudXDzVb16Z0bXvn3TBm/zPWOAdN8HYToy4K5gqCy69LBJhEr5OH4oSll R2QUp2l0F84LoGYQ5YJqwoI0dnlmxUBTEt1dPVe61xAEpHD+PleGwxn9aRlGTz5N3JCN 5z6A==
X-Gm-Message-State: APjAAAXuXV0mMGcOiVcqzEcfLIYZbTN2un3/xj7Ctb2x/TTfr/8gElmo SM+U9U8pOYNw52DUcxQt1fl0RjlM4mAakPhtPzQ=
X-Google-Smtp-Source: APXvYqxnTVso5uB/h7PO9WgaqxGTjzrijBFO/cHmRCNL9jsJqrx1vbV/JoNLcYqf4SdSGvkgQ457vusZzi+HB7g1F68=
X-Received: by 2002:ab0:2994:: with SMTP id u20mr24045935uap.114.1564021150228; Wed, 24 Jul 2019 19:19:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CAChr6SzvUZS4Ru_SttiZgWtjwBuLrzc_fdewq9w-Ts+Rq_oNHw@mail.gmail.com> <9E8BD2C4-D750-4B8C-BA34-AC4425F2951D@gmail.com> <CAChr6Szo+1x6BnU2XH2A0o7CTQrQhFVPYezR7KQVLw-nWToULg@mail.gmail.com> <MN2PR21MB12134C6B57220E1B8BF5C811FAC60@MN2PR21MB1213.namprd21.prod.outlook.com> <CABtrr-Ue6rAom3ubJc_tPbn37T8HPGPabzX=CxT9UmiicbUtXQ@mail.gmail.com> <LO2P123MB22569D3F3476B913EDC8F8D69BC60@LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM> <CAChr6SxV1s-6zzLw+W=QO6qZ3RcCDhR+PG0bUP4d_q+9_gOHTA@mail.gmail.com>
In-Reply-To: <CAChr6SxV1s-6zzLw+W=QO6qZ3RcCDhR+PG0bUP4d_q+9_gOHTA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Jul 2019 22:18:58 -0400
Message-ID: <CAH1iCir=fbFP=Qgkrnxjdj=ASMVQ6SaBzh3Kr0D_viwQK5h8Vw@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: chris.box@bt.com, add@ietf.org
Content-Type: multipart/alternative; boundary="00000000000014a496058e780dd7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/HlKG81q7N-3WdAzIhsM0j-IEjuI>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 02:19:14 -0000

On Wed, Jul 24, 2019 at 7:40 PM Rob Sayre <sayrer@gmail.com> wrote:

> On Wed, Jul 24, 2019 at 4:53 AM <chris.box@bt.com> wrote:
>
>> This is a good point; there are valid reasons why 1.1.1.1 can be the
>> right provider for some users. Please allow me to clarify some possible
>> misunderstandings.
>>
>>
>>
>> I’m not against DoH.
>>
>> I’m not against privacy and security.
>>
>> I’m not against user choice.
>>
>>
>>
>> These are all valuable things we should strive for. Let’s do it in a way
>> that works for everyone, by identifying and documenting best practice.
>>
>
> I think the issue is that this request for collaboration can be viewed as
> a request to undermine DoH with follow-up RFCs.
>
> I understand that people come to the IETF with many different viewpoints,
> so I don't see this disconnect as a problem. But it is worth pointing out,
> and trying to understand.
>

I'll jump in ...

There are some generally positive benefits to having some (but certainly
not all) applications speak DNS natively.
(The precedent of mail transport software doing its own DNS is a good
example, including understanding why: mail software needs direct access to
e.g. MX, SPF, DMARC, and DKIM records, and to a lesser degree, PTR.)

In particular, having some applications be able to request record types
other than A/AAAA/PTR via POSIX interface (getaddrinfo/gethostby* calls) is
an important benefit; doing DNS more directly avoids having to address the
whole POSIX API thing. (That can be done at a later date, or not at all.)

Speaking "DNS" facilitates lots of very useful use cases to applications,
in particular to browsers, that are not otherwise feasible today. (E.g.
DNSSEC validation, DANE records, HTTPSVC, etc.)

However, there is no specific requirement that these applications "doing"
DNS need to bypass the ENTIRE host OS' DNS stack or avoid using other
host-local DNS services/mechanisms.
E.g. it would be reasonable to have a local forwarding-only caching server
(which forwards to a full-feature resolver, using an unspecified
transport), which better scaling attributes including cache hits, and
avoids divergent application-specific resolution including different
choices of full-feature resolver.

Also, privacy can be implemented on that caching server, by either of DoT
or DoH. There is approximately zero trade-off between the two (DoH vs DoT),
other than the larger issues (monitoring/filtering DNS resolver
destinations at a network level).

NB: the new DNS RFC for DNS stateful operations (DSO, DNS Stateful
Operations) covers a lot of the details on how clients and servers can
optimize their interactions, including (IIRC) some DoT guidance.

Some of the concerns regarding how to resolve the natural tension between
user choice, and client (host) administration, is probably better handled
by having the "user" choice be restricted (by design) to admin-priv
operations.

I would definitely prefer that DoT be the solution of choice for privacy,
primarily because it avoids almost all of the pitfalls of DoH when it comes
to any environment that relies on DNS-based security and monitoring.

There is a place for DoH, but I don't believe it should see wide deployment
in general-purpose browsers.

I have yet to see any use case other than the very specific "dissidents"
used to justify DoH.

All of the testing (which I've basically just glanced at as summary info)
suggests that DoH and DoT perform very similarly.

And, finally, from what I understand, all of the major public resolver
operators offer their services on both DoT and DoH (and v4 and v6, and in
many cases with or without filtered results).

So, in my version of a perfect world, the integrated browser DNS stack
would be:
browser <-> (local/internal loopback-type interface) <-> caching DNS
forwarder <-> (DoT) <-> {enterprise | home | public} full recursive resolver
And the browser would speak native DNS, with DNSSEC validation, DANE
support (natively, not plug-in), HTTPSSVC, CNAME/DNAME following, etc.
The caching DNS forwarder would have all the same stuff plus DNS cookies,
not do fragmentation, and potentially have multiple full resolvers
configured in a structured priority flow (not just round robin).

IMHO, this is what ADD is supposed to be about, discussion the what and the
how.

And, also IMHO, it does not preclude comparison of DoT and DoH on the
respective merits and risks/costs.

Brian
P.S. Any animosity towards DoH has very little to do with the process by
which it was developed, and everything to do with the incompatibility with
existing practices and ecosystems, especially unintended impacts. It isn't
the encapsulation of DoH that is the problem (it's slightly annoying), but
rather the re-use of port 443 instead using a dedicated port the way DoT
uses 853.

P.P.S. The responsible approach to adopting a flawed protocol, would be to
acknowledge the flaws, find a better solution, and kill it off, rather than
defend it or justify it based on sunk cost or other rationales. I would
advocate this approach even if it was my sacred cow that was being gored.

v2.23.0 | Report a Bug | By Email