IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Eric Rescorla <ekr@rtfm.com> Tue, 16 July 2019 14:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF00412012A for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 07:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXAeUVik38H3 for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 07:22:08 -0700 (PDT)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36CF120086 for <add@ietf.org>; Tue, 16 Jul 2019 07:22:07 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id k18so20141593ljc.11 for <add@ietf.org>; Tue, 16 Jul 2019 07:22:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tGk9yeUeQ69ACsfHtZziKsCI6UAgA8PcFGEpHqKiEbc=; b=BN9vAbzk8whmtUbhFdP1D94zjEw+ldOfNDJYSf3f2qTPYeOgLFXHvGQlx23KsP8JrV zzoM69XnhGJDVRkk28HsuSLGPNmrw7/qyKAxOi8gevU3GlD5PJE+cPFjVsnoGT9I52wh Wez+NW3grf0TYx4gn8w0CCp+F+jQCpCakd0gQAHjFM96kroLFPz4NfC2vO9y3EgTp1xv WXX10aF98haAXsHnsLaFaJ8nBF5P1q9oTeexjfIzdOhGhbtbuHZLZXSvWMFBd08UJeA0 RTKeT0UOOOjb9DCuiL6OhpA3FnoZ5x0byUChS4/E+pFYNGBXxD/uokW6u2f+ta/3OBV7 2GPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tGk9yeUeQ69ACsfHtZziKsCI6UAgA8PcFGEpHqKiEbc=; b=eCMkleggNz4ddAvH9BRM4Tp6heJQwin5CC9EnSlxNmP+1pT9s8s+0oSCC47mD47i7x UdKnLBx+zRgrMyIay+0pOUq384bQv/ozTEQgb/bd1lc3VCsuk3R/wLQBzBofS+KCLaVw cNLIgCgzRCaMEVAgIXFQAXh4B1uWBJ5IUHRv3x9EVWE44rabY99PX0UXKKux+jn/YCNP 3ocQmlUWK4apPVYcyd9dzqNnM2O5gV+vNw9aaQOyK1ONbwx4eUqbRIjbCJbwFWVnXZcA xK+tO/hraVqhpT1aCh1kCnZbEtkRWEgDkGpcZqYnRjgkP0Mnsj37S4sbCuQmvhLCWoTZ sMFA==
X-Gm-Message-State: APjAAAWnAwNe1/JUFfWfXmISEiQ5xmbCIivlash7wE32+J6B2xOTKD3q CXy37Gs2asFxN0cxuqu3M2w6tlOT9OuAFgmE/yQ=
X-Google-Smtp-Source: APXvYqwDj+ajAvGgjh8faWBoVG4uUXTMpYhZy60mG1js5CCKqTCYRX1jx5E0UKd4oWO9clXvgdyP2Uh8H7WmjLkXQ3A=
X-Received: by 2002:a2e:9cd4:: with SMTP id g20mr16814580ljj.205.1563286925975; Tue, 16 Jul 2019 07:22:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com>
In-Reply-To: <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 16 Jul 2019 07:21:28 -0700
Message-ID: <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com>
To: Alec Muffett <alec.muffett@gmail.com>
Cc: "Dixon, Hugh" <Hugh.Dixon@sky.uk>, add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e7c6e2058dcd193d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/LuBmRkx7TttdfKgdHgpZQb6W_dw>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 14:22:10 -0000

Hi Alec,

This is a good question.

As I alluded to in my response to Robert Sayre, DoH has a difficult
deployment problem. Specifically, whether we like it or not, there are
some environments in which DNS filtering is in place and the user
wants it that way (parental [0] or anti-malware filtering are good
examples of this).

Now, this isn't an issue for a situation in which the user has
explicitly enabled DoH with a preference or setting, because the user
has indicated they want that (just as if they installed a VPN). And I
agree that if the user has done that, then the client should insist on
DoH whatever the local network environment. This is more analagous
to the TLS 1.3 case where we know that the user wants TLS.

The more difficult situation, however, is if you want to switch the
client's defaults, in which case you risk changing the user's
experience in a way they didn't want, which is also suboptimal.  So,
it would be good to determine when that is the case and avoid doing
it/warn the user/something. In some cases, it's possible to do this in
a secure way (e.g., see if there are enterprise settings for a
specific resolver), but sometimes there is no local setting and I'm
not aware of a secure way to detect that case (I agree that the
mechanism in this draft is insecure). In this case, the problem seems
more difficult.

In any case, hopefully this clarifies the situation. If you have
good ideas for the best way to address the problem, I would certainly
be interested.

-Ekr


[0] We can debate who the user in parental controls cases is, but
general the parent is the one who owns the device.


On Tue, Jul 16, 2019 at 4:26 AM Alec Muffett <alec.muffett@gmail.com> wrote:

> On Tue, 16 Jul 2019, 11:31 Dixon, Hugh, <Hugh.Dixon@sky.uk> wrote:
>
>> Hi Alec –
>>
>
> Hi Hugh!
>
> Given that this is at its core (just) a protocol for asking (any) DNS
>> server whether it has a filtering policy, won’t “non-compliant software”
>> will be the sort of software which does not beacon?
>>
>
> That's kinda the whole point; the problem is that innocent people might
> try using Firefox to access Twitter from Turkey during a civil rights
> crackdown, their Firefox-implementing-this-mechanism will give them away as
> trying to evade Government blocking of Twitter, and they will end up
> arrested or worse.
>
> Not everyone is in a position to welcome or appreciate upstream DNS
> filtering "for their own good" - for instance, this example from Turkey:
>
>
> https://www.mic.com/articles/85987/turkish-protesters-are-spray-painting-8-8-8-8-and-8-8-4-4-on-walls-here-s-what-it-means
>
> It would seem regressive of Mozilla's principles to assist someone getting
> identified & thrown in jail for non-compliance with repressive blocking;
> not to mention - to repeat - the other obvious possibility is that any IP
> address which beacons-out a lookup of TBD.arpa will immediately be
> blackholed / firewalled, again to dissuade people from fact-checking their
> government's spokespeople.
>
> Or, perhaps you would consider this non-compliant-behaviour, worthy of
> such sanction?
>
> - alec
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email