IETF Logo Mail Archive

Re: [Add] Practical Observations from Encrypted DNS Deployments by Network Operators

Vittorio Bertola <vittorio.bertola@open-xchange.com> Tue, 21 July 2020 08:55 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41BDA3A16EB for <add@ietfa.amsl.com>; Tue, 21 Jul 2020 01:55:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2tJdEhccgtl for <add@ietfa.amsl.com>; Tue, 21 Jul 2020 01:55:27 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68BAD3A159B for <add@ietf.org>; Tue, 21 Jul 2020 01:55:27 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 4C8026A230; Tue, 21 Jul 2020 10:55:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1595321725; bh=pvC/iVv/KJ/l0Vi+C9ECtXBUpm7EnVhN63a/UcWB00U=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=h/1QJK3rmUI2Ki5sgRlVKpf336jq/LPhGxmllPe7LBWR37ymlADBqx5/7NOvomAxW jQVK/3BKOWLXIonsrThC0I6rTNmtECxOtklSGbwcKVgPms+/DGhpkCfgFHFvVG2hsm rwEimFIsyWyd6cFjal0rVZIx7eEW6e0S1vWsfXk3riNoZ+ETaLhoSAEqcVLgu1Yp9m F+wdEWutODKQGzNbZV1UTS8TK18PLjakbHVMwC0DY6gC1sxPZOXITv31KnY73bOMTI u/2ylZ1d/c5jJX/YtIDd/ipEZxyC/SUZ/AhOIVr/h3PHQHRZKT7orReVSdsnhZj3je tr0KQOCNE5Vsg==
Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 3E43F3C0330; Tue, 21 Jul 2020 10:55:25 +0200 (CEST)
Date: Tue, 21 Jul 2020 10:55:24 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "add@ietf.org" <add@ietf.org>
Message-ID: <1848099210.1572.1595321725155@appsuite-gw1.open-xchange.com>
In-Reply-To: <CABcZeBM_UuBQCJZ6ofZaXGgqMac1xOQp6cQG15Rkq22KRAyuMw@mail.gmail.com>
References: <LO2P265MB0573E407D5384A82FA96D094C27E0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <0d768d14-0a11-46fa-8ff8-1b63c578df2a@www.fastmail.com> <LO2P265MB057367F869D954239D4A94C8C27B0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CABcZeBMyBGq9j90zOE4HuEU4HQNKoxSBsxqy7imeHKE5=WA++w@mail.gmail.com> <LO2P265MB0573B4514852D705D2209EB0C27B0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CABcZeBM_UuBQCJZ6ofZaXGgqMac1xOQp6cQG15Rkq22KRAyuMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1570_1373817735.1595321725136"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.3-Rev17
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/RR2He2RInKzRSGj4nPNEVLixMBc>
Subject: Re: [Add] Practical Observations from Encrypted DNS Deployments by Network Operators
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 08:55:29 -0000


>     Il 21/07/2020 02:43 Eric Rescorla <ekr@rtfm.com> ha scritto:
> 
> 
>     So the idea here would be to have a mechanism which enabled Do[TH] but
>     bypassed the CPE, correct? So, it would be something that one deployed
>     at the ISP's recursive and that we just expected the CPE to pass on?
>     It seems like the primary requirement there would be for something which
>     had a very high chance of passing through existing CPE.
> 
> 
>     With that said, I have some concerns about the objective of having the
>     CPE in the user's resolution path.
> 
I just want to note that the mechanism described in the draft I recently posted ( https://datatracker.ietf.org/doc/draft-cook-doh-discovery-trial/?include_text=1 ) only goes through the CPE via Do53 in the discovery phase, then the DoH TLS connection bypasses the CPE and goes directly to the main resolver.

For ISPs and vendors that do filtering and other DNS-based services on the main recursor platform, this would be enough to let the current functionalities continue working.

Also - to a point by Kenji - you can't do that by picking from a finite set of preconfigured filtering options, e.g. "http://family-safe-strict.doh.isp.net ,http://family-safe.doh.isp.net ,http://doh.isp.net ", because current solutions offer complete control to end-users over the filtering configuration for each single device, even to the level of blocking or allowing individual domains if they like. There are people using filtering for purposes unrelated to parental control, for example SMBs blocking access to social media from the office during working hours.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email