IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Wes Hardaker <wjhns1@hardakers.net> Fri, 12 April 2019 23:44 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E38EF120412 for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 16:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SR0rEEBMFCKb for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 16:44:19 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566F2120348 for <add@ietf.org>; Fri, 12 Apr 2019 16:44:19 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id B8E2E20DA7; Fri, 12 Apr 2019 16:44:18 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Christian Huitema <huitema@huitema.net>
Cc: Wes Hardaker <wjhns1@hardakers.net>, Ted Hardie <ted.ietf@gmail.com>, add@ietf.org, Peter Saint-Andre <stpeter@mozilla.com>
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <CA+9kkMAobw2giYO=8pbLVi4ms0Ru+nYwhV5DGxLCwaUdX6EQyQ@mail.gmail.com> <yblv9zj5591.fsf@w7.hardakers.net> <CA+9kkMBMehkz3NbytL+vfDh+SwhW9At_q7oBL8a7XSEiSSrNwA@mail.gmail.com> <yblr2a651zv.fsf@w7.hardakers.net> <4203E588-C6CE-44AD-AB26-FDD9AEED587F@huitema.net>
Date: Fri, 12 Apr 2019 16:44:18 -0700
In-Reply-To: <4203E588-C6CE-44AD-AB26-FDD9AEED587F@huitema.net> (Christian Huitema's message of "Fri, 12 Apr 2019 15:16:39 -0700")
Message-ID: <yblk1fyn60d.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/OL8oTM6llH1DCvDOUI_YZdFNzpI>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 23:44:21 -0000

Christian Huitema <huitema@huitema.net> writes:

> > Which clearly shows that between the above three, they're willing to
> > sacrifice some level of authenticity to achieve better latency and
> > privacy.  Note, though, that this choice isn't wrong.  It's a choice.  I
> > may choose a different one, as may others.  And I'm more than sure my
> > list above is incomplete from an ideological stand point; it just
> > happens to be the three biggest I could think of.
> 
> On the other hand, DNSSEC does not guarantee authenticity either. It
> guarantees that the mappings of name to IP address is authentic, but
> that's not the same thing as guaranteeing that the connection actually
> terminates at the authentic end point. There could well be a NAT
> somewhere that translates the IP address and delivers the packets to a
> different server. See for example the many cases of rerouting 8.8.8.8
> traffic to a different server.

Yes, you're absolutely right.  There are a ton of layers of the protocol
stack that get involved, and attacks at any point along the way can
break the connection so it becomes unusable.  Without DNS security, may
never get to the right place.  Without routing security, you may never
get to the right place.  Without TLS security, you may never get to the
right place.  If you don't type things properly, you may get to the
wrong place.  Protecting all layers increases your odds that you're
getting to the right place.  If you only check the highest layer (and
you trust it implicitly) you still may be misdirected at other layers,
causing client failures that may have been avoidable.

> Arguably, once you have HTTPS and authenticate the server, then DNSSEC
> does not provide any additional guarantee.

That is one view, yes.  As I said in my previous note about other
choices: it's not wrong!  You're prioritizing your needs and tradeoffs,
however, and others may have different prioritization.  Its in this
selection of trade-offs that we seem unable to help users make informed,
personal decisions.

-- 
Wes Hardaker
USC/ISI

v2.23.0 | Report a Bug | By Email