IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

"Martin Thomson" <mt@lowentropy.net> Thu, 11 April 2019 03:12 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83431201AC for <add@ietfa.amsl.com>; Wed, 10 Apr 2019 20:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=CJLy6ABz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=rLz55eDu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bo4ipMZUevRb for <add@ietfa.amsl.com>; Wed, 10 Apr 2019 20:12:04 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 502841201A9 for <add@ietf.org>; Wed, 10 Apr 2019 20:12:04 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7CD0F2129D for <add@ietf.org>; Wed, 10 Apr 2019 23:12:03 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 10 Apr 2019 23:12:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=d8+X9/i/k4/RAqECeLsCE1wbLGHljIo X3ZnLAWX0jL8=; b=CJLy6ABz7JxbE+/6KlgRRdJXhvtYqiPQqwUl5BovPp45mcU khB1oxm1fOFjczss/z/cvYFf+risaj0Xm0PNUzmjIebbxxINkRkTJAfGPULPCgeB 40k7Ttzm83SRDPK1JO5vMgG/YWAeZ1p+UFx0QcSDRMFOilmDFogE/KFC7oWNUVWL Z/+ni5W4DHFPu+6KuuEQpe1WsHFAwKV0swUaHYmu2TUXMndoaMZin/33KocrGN08 dnanal5tXP3yMSztXllo/6F8z+/JlaaFzHhILNw602ftuuL4+nbxdnNVVv6pcaSa ffJive0A4ZNY2LgTwaXEnbMYkS3EIRfTmdeXCaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=d8+X9/ i/k4/RAqECeLsCE1wbLGHljIoX3ZnLAWX0jL8=; b=rLz55eDuoYgXFJXz/WKvfQ W2VIvsL8ynh6odFmevvKTPS1ZEwwgdyLOCrnBf9U24hypu0Crr68vGgZGnhrFCu8 PY9wIEU76TF2luOBRkHUOm2pDIj4j40+0ZV7nNdiYu7X95/pkpm8KTDidMF/ofri 2dsCBF3Wewm0E1/9w3BzwihNTReI1rBmPgcgkGE6JuTu8WSu6yJ229jp2hSmvz3r JTCqZYogCfaYgfAY4SMqVq2i+7CagM8P7K7EB4UavwuKJf3rMJvpaQqLJIGQ2Pvw ryWgkWlnYVPZQxUTHycIJXyLsJo3du1nJ0p0tPsJ4is9jH4O8c7GpQ1oOGhFvPlA ==
X-ME-Sender: <xms:g7CuXCO8qEApIcM2fskjFlYtX8E_5qWoh4dj6cQ17q94_bh5KkQNUw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudekgdeiudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehmohiiihhllhgrrdhorhhgnecurf grrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehl uhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:g7CuXB4LXCfbplh1aYoe_vVjpOqmu89-NwZnKbuiQm3qniZ4RYxfMA> <xmx:g7CuXJm1gpbxcc48Ovd3OHypt8cnnGT7nYUoLkKuTvmEzyPSJCHl-Q> <xmx:g7CuXBKSXEkZk450re0E4-f6DDQOmCeb62faz6c2i0QcFWE_w-PzjQ> <xmx:g7CuXPaQ-fCxKjsoG621Syj4Iox8eP_dWEdgK1_ozcn9PnpjDyXgrg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3804B7C130; Wed, 10 Apr 2019 23:12:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-329-gf4aae99-fmstable-20190329v1
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com>
In-Reply-To: <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca>
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca>
Date: Wed, 10 Apr 2019 23:12:06 -0400
From: Martin Thomson <mt@lowentropy.net>
To: add@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/HzpOrG02kWGQbbRP77usBHSNdJY>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 03:12:06 -0000

On Thu, Apr 11, 2019, at 03:27, Paul Wouters wrote:
> On Wed, 10 Apr 2019, nusenu wrote:
> 
> > Paul Hoffman wrote:
> >> Of likely interest to this group:
> >>    https://wiki.mozilla.org/Security/DOH-resolver-policy
> >
> > I'm surprised they don't include DNSSEC in their requirements
> > for DoH server operators aiming to join their TRR program
> 
> Same here, although one can argue DNSSEC is just core standard DNS so
> they do not need to mention it. Where as query minimalization is still
> fairly new.

We don't believe that DNSSEC is essential to our primary goals, which are improving privacy of browsing activity.  As a browser, we can't condition our behaviour on whether DNSSEC was present and valid for a variety of reasons (some of which we might discuss separately), but we do value resolvers that perform DNSSEC validation.  Requiring query minimization is in keeping with the privacy goal, whereas DNSSEC requirements would expand the scope more than we were comfortable with.

v2.23.0 | Report a Bug | By Email