Re: [Add] Mozilla's DoH resolver policy

Peter Saint-Andre <stpeter@mozilla.com> Thu, 11 April 2019 16:02 UTC

To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, Ralf Weber <dns@fl1ger.de>, Martin Thomson <mt@lowentropy.net>
Cc: add@ietf.org
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com>
From: Peter Saint-Andre <stpeter@mozilla.com>
Openpgp: preference=signencrypt
Autocrypt: addr=stpeter@mozilla.com; prefer-encrypt=mutual; keydata= mQINBFonEf4BEADvZ+RGsJoOyZaw2rKedB9pBb2nNXVGgymNS9+FAL/9SsfcrKaGYSiWEz7P Lvc97hWH3LACFAHvnzoktv+4IWHjItvhdi9kUQ3Gcbahe55OcdZuSXXH3w5cHF0rKz9aYRpN jENqXM5dA8x4zIymJraqYvHlFsuuPB8rcRIV9SKsvcy14w9iRqu770NjXfE/aIsyRwwmTPiU FQ0fOSDPA/x2DLjed/GYHem90C5vF4Er9InMqH5KAMLnjIYZ9DbPx5c5EME4zW/d648HOvPB bm+roZs4JTHBhjlrTtzDDpMcxHq1e8YPvSdDLPvgFXDcTD4+ztkdO5rvDkbc61QFcLlidU8H 3KBiOVMA/5Rgl4lcWZzGfJBnwvSrKVPsxzpuCYDg01Y/7TH4AuVkv5Na6jKymJegjxEuJUNw CBzAhxOb0H9dXROkvxnRdYS9f0slcNDBrq/9h9dIBOqLhoIvhu+Bhz6L/NP5VunQWsEleGaO 3gxGh9PP/LMyjweDjPz74+7pbyOW0b5VnIDFcvCTJKP0sBJjRU/uqmQ25ckozuYrml0kqVGp EfxhSKVqCFoAS4Q7ux99yT4re2X1kmlHh3xntzmOaRpcZsS8mJEnVyhJZBMOhqE280m80ZbS CYghd2K0EIuRbexd+lfdjZ+t8ROMMdW5L51CJVigF0anyYTcAwARAQABtCdQZXRlciBTYWlu dC1BbmRyZSA8c3RwZXRlckBtb3ppbGxhLmNvbT6JAlQEEwEIAD4WIQQ1VSPTuPTvyWCdvvRl YYwYf2gUqQUCWicR/gIbIwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBlYYwY f2gUqdaREAChG8qU1853mP0sv2Mersns8TLG1ztgoKHvMXFlMUpNz6Oi6CjjaMNFhP7eUY4T D43+yQs7f4qCkOAPWuuqO8FbNWQ+yUoVkqF8NUrrVkZUlZ1VZBMQHNlaEwwu1CGoHsLoRohP SiZ0hpmGTWB3V6cDDK4KN6nl610WJbzE9LeKY1AxtePdJi2KM281U0Fz8ntij1jWu0gF2xU4 Sez46JDogHLWKgd0srauhcCVzZjAhiWrXp1+ryzSWYaZO8Kh8SnF1f4o6jtYikMqkxUaI5nX wvD3kNX4AMSkCAZfG7Jcfj/SLDojTcREgO87g7B9bcOOsHN4lj3lHoFV0aXpgPmjfIvAjJHu fHkXZAQAH8w0u9bgJqRn703+A4NPfLopnjegyhlNi7fQ3cMQV1H7Oj7WrB/pCcprx+1u/6Uq oTtDwWh1U5uVthVAI0QojpNWR08zABDX19TlGtVoeygaQV3CAEolxTiYQtCfVavUzUplCZ/t 3v4YiRov+NylflJd+1akyOs1IAgARf444BnoH1fotkpfXNOpp9wUXXwsQcFRdP7vpMkSCkc0 sxPNTVX3ei0QImp4NsrFdaep7LV3zEb3wkAp6KE5Qno4hVVEypULbvB0G6twNZbeRfcs2Rjp jnPb2fofvg2WhAKB20dnRfIfK8OKTD/P+JDcauJANjmekLkCDQRaJxH+ARAApPwkbOTChAQu jMvteb/xcwuL5JZElmLxIqvJhqybV7JknM+3ATyN0CTYQFvPTgIrhpk4zSn0A6pEePdK8mKK 5/aHyd7pr7rLEi1sI/X3UE8ld/E83MExksKrYbs0UX1wSQwYXU6g64KicnuP2Abqg+8wrQ18 1nPcZci9jJI75XVPnTdUpZD5aaQWGp7IJ06NTbiOk30I50ORfulgKoe4m3UfsMALFxIx3pJk oy76xC2tjxYGf+4Uq1M0iK3Wy655GrcwXq/5ieODNUcAZzvK5hsUVRodBq0Lq3g1ivQF4ba7 RQayDzlW6XgoeU49xnCr9XdZYnTnj4iaPmr2NtY6AacBwRz+bJsyugeSyGgHsnVGyUSMk8YN wZHvUykMjH21LLzIUX5NFlcumLUXDOECELCJwewui4W81sI5Sq/WDJet+iJwwylUX22TSulG VwDS+j66TLZpk1hEwPanGLwFBSosafqSNBMDVWegKWvZZVyoNHIaaQbrTIoAwuAGvdVncSQz ttC6KkaFlAtlZt3+eUFWlMUOQ9jxQKTWymyliWKrx+S6O1cr4hwVRbg7RQkpfA8E2Loa13oO vRSQy/M2YBRZzRecTKY6nslJo6FWTftpGO7cNcvbmQ6I++5cBG1B1eNy2RFGJUzGh1vlYo51 pdfSg0U1oPHBPCHNvPYCJ7UAEQEAAYkCPAQYAQgAJhYhBDVVI9O49O/JYJ2+9GVhjBh/aBSp BQJaJxH+AhsMBQkJZgGAAAoJEGVhjBh/aBSpAw0P/1tEcEaZUO1uLenNtqysi3mQ6qAHYALR Df3p2z/RBKRVx0DJlzDfDvJ2R/GRwoo+vyCviecuG2RNKmJbf1vSm/QTtbQMUjwut9mx6KCY CyKwniqdhaMBmjCfV2DB2MxxZLYMtDfx/2mY7vzAci7AkjC+RkSUByMEOkyscUydKC/ETdf9 tvI8GhTY/8Q7JSylS3lQA5pMUHiIf+KpSmqKZeBPkGc7nSKM1w1UKUvFAsyyVsiG6A/hWrTr 7tTQAl7YfjtOGE8n4IKGktvrT99bbh9wdWKZ5FdHUN9hx2Q8VP8+0lR1CH2laVFbEwCOv1vM W4cgQDLxwwpo1iOTdHBVtQDxlQ9hPMKVlB1KP9KjchxuiLc24wLmCjP3pDMml4LQxOYB34Eq cgPZ3uHvJZG309sb2wTMTWaXobWNI++ZrsRD5GTmuzF3kkx3krtrq6HI5NSaemxK6MTDTjDN Rj/OwTl0yU35eJXuuryB20GFOSUsxiw00I2hMGQ1Cy9L/+IW6Dvotd8O3LmKh2tFArzXaKLx /rZyGNurS/Go5YjHp8wdJOs7Ka2p1U31js24PMWO6hf6hIiY2WRUsnE6xZNhvBTgKOY6u0KT V6hTevFqEw7OAZDCWUoE2Ob2/oHGZCCMW5SLAMgp7eihF0kGf2S2CmpIFYXGb61hAD8SqSY7 Fn7V
Message-ID: <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com>
Date: Thu, 11 Apr 2019 10:02:45 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <994839978.18707.1554973716877@appsuite.open-xchange.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/JtCqaNEk1q850hCjBuAz9SetwgE>
Subject: Re: [Add] Mozilla's DoH resolver policy
Precedence: list

On 4/11/19 3:08 AM, Vittorio Bertola wrote:
>> Il 11 aprile 2019 alle 10.59 Ralf Weber <dns@fl1ger.de> ha scritto:
>>
>> So why not make DNSSEC validation in the resolver a requirement? It 
>> doesn’t interfere with local policy and offers significant benefits 
>> for the user. Validation in the client would be nicer, but requiring it 
>> in the resolver is a good first step.
> 
> More generally, while I understand Mozilla's desire to ensure certain standards to their users, I think it would be better to have a broader definition of what a "good resolver" is, both in terms of scope (not just privacy, but DNSSEC etc), in terms of consensus (and the effort is already ongoing in DPRIVE) and in terms of compliance: I don't know Mozilla's plans for auditing their trusted resolvers (are there any?), but it would make more sense to have an independent industry effort that certifies resolvers, rather than having each of them go through multiple accreditation processes for multiple applications, which would raise entry barriers for public resolvers and, again, promote centralization. 

We (Mozilla) do not want to encourage centralization, which is why we
have published criteria for becoming a trusted recursive resolver within
Firefox. In our conversations with various stakeholders, we have seen a
desire for the kind of industry-wide effort you mention. Although it's
too early to say whether something like that will come together, we are
very much open to discussions exploring that direction.

Peter

[Add] Mozilla's DoH resolver policy Paul Hoffman
Re: [Add] Mozilla's DoH resolver policy nusenu
Re: [Add] Mozilla's DoH resolver policy Paul Wouters
Re: [Add] Mozilla's DoH resolver policy Martin Thomson
Re: [Add] Mozilla's DoH resolver policy Ralf Weber
Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
Re: [Add] Mozilla's DoH resolver policy Jim Reid
Re: [Add] Mozilla's DoH resolver policy Ralf Weber
Re: [Add] Mozilla's DoH resolver policy Manabu Sonoda
Re: [Add] Mozilla's DoH resolver policy Valentin Gosu
Re: [Add] Mozilla's DoH resolver policy Ray Bellis
Re: [Add] Mozilla's DoH resolver policy Ralf Weber
Re: [Add] Mozilla's DoH resolver policy Daniel Stenberg
Re: [Add] Mozilla's DoH resolver policy Paul Wouters
Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
Re: [Add] Mozilla's DoH resolver policy Ralf Weber
Re: [Add] Mozilla's DoH resolver policy Vladimír Čunát
Re: [Add] Mozilla's DoH resolver policy Adam Roach
Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
Re: [Add] Mozilla's DoH resolver policy nusenu
Re: [Add] [Ext] Mozilla's DoH resolver policy Paul Hoffman
Re: [Add] [Ext] Mozilla's DoH resolver policy Peter Saint-Andre
Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
Re: [Add] [Ext] Mozilla's DoH resolver policy Brian Dickson
Re: [Add] [Ext] Mozilla's DoH resolver policy Adam Roach
Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
Re: [Add] Mozilla's DoH resolver policy Peter Saint-Andre
Re: [Add] Mozilla's DoH resolver policy Ted Hardie
Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
Re: [Add] Mozilla's DoH resolver policy Ted Hardie
Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
Re: [Add] Mozilla's DoH resolver policy Christian Huitema
Re: [Add] Mozilla's DoH resolver policy Mark Andrews
Re: [Add] Mozilla's DoH resolver policy Wes Hardaker
Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
Re: [Add] Mozilla's DoH resolver policy Vittorio Bertola
Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
Re: [Add] Mozilla's DoH resolver policy Livingood, Jason
Re: [Add] Mozilla's DoH resolver policy Salz, Rich
Re: [Add] Mozilla's DoH resolver policy Ben Schwartz
Re: [Add] Mozilla's DoH resolver policy Adam Roach
[Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] ECS privacy concerns, alternatives? Mark Delany
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] ECS privacy concerns, alternatives? Mark Delany
Re: [Add] Mozilla's DoH resolver policy Christian Huitema
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] Mozilla's DoH resolver policy Geoff Huston
Re: [Add] Mozilla's DoH resolver policy Ralf Weber
Re: [Add] Mozilla's DoH resolver policy Paul Wouters
Re: [Add] ECS privacy concerns, alternatives? Erik Nygren
Re: [Add] ECS privacy concerns, alternatives? Joe Abley
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] ECS privacy concerns, alternatives? Joe Abley
Re: [Add] ECS privacy concerns, alternatives? Paul Hoffman
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson
Re: [Add] Mozilla's DoH resolver policy Hollenbeck, Scott
Re: [Add] Mozilla's DoH resolver policy Adam Roach
Re: [Add] ECS privacy concerns, alternatives? Puneet Sood
Re: [Add] ECS privacy concerns, alternatives? Erik Kline
Re: [Add] ECS privacy concerns, alternatives? Brian Dickson