IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Valentin Gosu <valentin.gosu@gmail.com> Thu, 11 April 2019 09:26 UTC

Return-Path: <valentin.gosu@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D521202A4 for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBU20-pEGR4z for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:26:40 -0700 (PDT)
Received: from mail-it1-x130.google.com (mail-it1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E167F1202A3 for <add@ietf.org>; Thu, 11 Apr 2019 02:26:39 -0700 (PDT)
Received: by mail-it1-x130.google.com with SMTP id y134so8449267itc.5 for <add@ietf.org>; Thu, 11 Apr 2019 02:26:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VQtoTU445NdEOLwe9xbD7yF9SvA15Bl3t1/hxvJ11MY=; b=VvJrnuz4uaJA+qlv0ztehL7noBShX51Lagyb6GB/PvZCAapotAextJBko03cwjSZ3D Rz9bRxxrfkAYpmLNs5eI+lAk6aPKVJqbNQ5hE000mVaMAX+xxXIFso9F5mFroSQp2we5 DoAMY7SkPTYYkBS2oVjXyZWOvCqAWK+l1H/g/1e/yULox8C3YJTgELKIggNWZgquqm5f uJE2/soe32XcHxpMI23frKcWPNwuTDS+RLd5dsMfl9jxd1WwjmnWkXtuc6Homxvpagi6 HtJY7s2hd3W88KKpEzwDvLkBnst7Q62eS0easACwiKeoQgkSaMeTjW+Io3c+9fXmyhhX EQkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VQtoTU445NdEOLwe9xbD7yF9SvA15Bl3t1/hxvJ11MY=; b=MXUPcZvuoobrqPSo5cr76JepRjwUPR9Iqn70bSnBWP0eSLTluFpbmG1Bt3T+HvZXDT pQVWSJ9MjzoUoeKuLJXUeeb3GrBK1a3HXwjVbjA/DQT+jMg0D/jOKM/Z13ypRmv3WKmD 7YhVhzRG9uuBt6Gp0bo5Mglzo/nvFtaQV8FI6ERSdbNFnVb3aQGgtvruq12Jg6B03Ish rz5DKsfGisas2hMujFBmrBoU0adi4BXw4zhd5oxZ1d8kipPidXL/RWKh7NT4x3Fe8fE+ syYfMSQTpBvWdxSIthluoKCUW3X5fdPTDSvvewZ12OsgUNC/O54dwSHVsqIOvN5bV2SC xBZA==
X-Gm-Message-State: APjAAAVFuCLJt+MJEt0suNFkpoWwHwRNfYjRR6uUY7fQNlWKCFH2qYK/ J6eAypWjIf+ph2zxGShUdQtdnmFSS3+BoCYDjnk=
X-Google-Smtp-Source: APXvYqzQGb7ijsvX5RTAI8L5tp3uZt39wbHVm8B4R/ifKI5eKeU6hi0+/omoNllZcKrVN55EiFW5SnrtaDPRX8GHrBI=
X-Received: by 2002:a02:62ce:: with SMTP id d197mr35484662jac.91.1554974799201; Thu, 11 Apr 2019 02:26:39 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <CACQYfiJa1i2LVgQDcHi_OknmDDKZiaw=++Y6imn34LcPULP3bQ@mail.gmail.com> <E0CA1520-74D4-4A41-9B44-10946FAB4534@fl1ger.de>
In-Reply-To: <E0CA1520-74D4-4A41-9B44-10946FAB4534@fl1ger.de>
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Thu, 11 Apr 2019 11:26:28 +0200
Message-ID: <CACQYfiKeh=FgmB9RN=eJ-2tq4jyTg55fep4au9SeGe3U5VkMBQ@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: add@ietf.org, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="0000000000008a89e405863dc899"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/PDtZ6C9SI0ufXtsbupaXRkqvBqI>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 09:26:42 -0000

On Thu, 11 Apr 2019 at 11:15, Ralf Weber <dns@fl1ger.de> wrote:

> Moin!
>
> On 11 Apr 2019, at 11:04, Valentin Gosu wrote:
>
> > On Thu, 11 Apr 2019 at 10:59, Ralf Weber <dns@fl1ger.de> wrote:
> >
> >> Moin!
> >>
> >> On 11 Apr 2019, at 5:12, Martin Thomson wrote:
> >>> We don't believe that DNSSEC is essential to our primary goals,
> >>> which
> >>> are improving privacy of browsing activity.  As a browser, we can't
> >>> condition our behaviour on whether DNSSEC was present and valid for
> >>> a
> >>> variety of reasons (some of which we might discuss separately), but
> >>> we
> >>> do value resolvers that perform DNSSEC validation.
> >> So why not make DNSSEC validation in the resolver a requirement? It
> >> doesn’t interfere with local policy and offers significant benefits
> >> for the user. Validation in the client would be nicer, but requiring
> >> it
> >> in the resolver is a good first step.
> >>
> >
> > Because at the moment a DNSSEC failure response from the DoH server is
> > identical to an NXDOMAIN response, which causes us to fallback to
> > regular
> > DNS anyway.
> No it is not. These are different RCODES.
>

Sorry for the confusion, I meant SERVFAIL.


> > See https://bugzilla.mozilla.org/show_bug.cgi?id=1525854
> The problem is to decide between SERVFAIL error caused by network events
> or a SERVFAIL by DNSSEC. That is a problem, but if your network or your
> resolvers network is bad why would you fallback to an insecure mechanism
> anyway?
>

To prevent disruptions to the user's browsing.

v2.23.0 | Report a Bug | By Email