IETF Logo Mail Archive

Re: [Add] publication of DoH Resolver policies

"Winfield, Alister" <Alister.Winfield@sky.uk> Tue, 28 May 2019 16:36 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62FBE12019F for <add@ietfa.amsl.com>; Tue, 28 May 2019 09:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level:
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcEI8Rrvlegk for <add@ietfa.amsl.com>; Tue, 28 May 2019 09:36:09 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80049.outbound.protection.outlook.com [40.107.8.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03899120198 for <add@ietf.org>; Tue, 28 May 2019 09:36:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2l4tCWaTDEnfEnT9eNkUcqJFlxtyHfgA5fLltS/mB6Q=; b=UfpQ6dIrLkGG3DhTINwh0neQIHLpDQiv+0zQnn8C+4dgphXU7kH28Ivi/VZYAG03ZSuBJr+tqEspV6WOXxA6HxzyEUQ2g5SUNlKmpbCMqDIL82BwOcaVn4yntNLbkDgTjVgNpF+6XqtP6UPVU0nstumzscbAgsBP6DJTl5skbsA=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2038.eurprd06.prod.outlook.com (10.168.57.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.22; Tue, 28 May 2019 16:36:06 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::410:431d:7a2f:a9b5]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::410:431d:7a2f:a9b5%8]) with mapi id 15.20.1922.021; Tue, 28 May 2019 16:36:06 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] publication of DoH Resolver policies
Thread-Index: AQHVFWwndNASf9AAW0ug5KjFkEe7HKaAzM0A
Date: Tue, 28 May 2019 16:36:06 +0000
Message-ID: <1DC2682D-1A1F-4B5B-BB49-B2DAAD8E7E7D@sky.uk>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com> <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com>
In-Reply-To: <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [2a02:c7d:e2db:2400:ccca:2259:318a:fd97]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b5f46d94-b1d7-4b97-53e3-08d6e38a94ef
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR0601MB2038;
x-ms-traffictypediagnostic: DB6PR0601MB2038:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6PR0601MB203829B15841A8A7965FE87EE31E0@DB6PR0601MB2038.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00514A2FE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(376002)(346002)(39860400002)(136003)(51914003)(199004)(189003)(86362001)(476003)(2616005)(486006)(83716004)(8936002)(36756003)(6916009)(446003)(11346002)(74482002)(8676002)(58126008)(5660300002)(66574012)(81156014)(71200400001)(102836004)(46003)(71190400001)(82746002)(256004)(81166006)(5024004)(14444005)(53546011)(6506007)(6116002)(33656002)(186003)(6512007)(7736002)(66476007)(66946007)(73956011)(66556008)(14454004)(68736007)(66446008)(6246003)(6486002)(99286004)(6436002)(76116006)(91956017)(64756008)(478600001)(25786009)(2906002)(606006)(53936002)(76176011)(316002)(72206003)(966005)(6306002)(54896002)(229853002)(236005); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2038; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2PnCz6kI2d2TcnJonxg3dDSkv0iuVhdEPyxWd+Lla5WUh7kyrR7JxKndpS7mXFQHGz65FWb7rwoW+sxwbQ0+UGAk0PwZqv/kjJvxo8GJdhxnuLGVxzYYnSET2qOud6lFxbv5RfFWxngqtFxHEnfVa/ymBsdqoAsFWBEhJOL+XZwukJ2zvNXwZ910ms7Tb9AH+ZsOis848fva72xZa/ckAYsBt9/Sf49ktgU5KogSShgkhqGM7ECJkjk+auqpV7rTwbzYYcnuwDhq+GIZyoDBQmk2HNDtjGXLA4vvNm/MT8qCykpbtUYS0qpFOyxPO6m9QAWXIiLl3lPN2tC8LJvDLdMTq/6BKK0kxT7hMht/5c92J1DCNNz7MnTLMjwvC3VWtna88iT8Uf7lxQEL64qqUOu55KlVF/s3AS1drRvjQDw=
Content-Type: multipart/alternative; boundary="_000_1DC2682D1A1F4B5BBB49B2DAAD8E7E7Dskyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b5f46d94-b1d7-4b97-53e3-08d6e38a94ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2019 16:36:06.2547 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: alister.winfield@sky.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2038
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Ssj_0Df2-frz6_ws8E2WtG6dlYc>
Subject: Re: [Add] publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 16:36:13 -0000

It would be wonderful if every malicious domain was known prior to its use, sadly except where a DGA is known that’s not the case. So it can be useful to have a little historic information to see the extent of the issue once it’s become known.

It’s also true that with performance issues unless they are very obvious (eg impacting say Facebook, Google, Amazon etc), operators necessarily rely on analytics or customers to complain. Given issues can be transient or periodic only a historic record can provide insight into the root cause.

Alister

From: Add <add-bounces@ietf.org> on behalf of "Livingood, Jason" <Jason_Livingood@comcast.com>
Date: Tuesday, 28 May 2019 at 16:43
To: tirumal reddy <kondtir@gmail.com>, Jim Reid <jim@rfc1035.com>
Cc: ADD Mailing list <add@ietf.org>
Subject: Re: [Add] publication of DoH Resolver policies

First – thanks for the pointer!

Comment – things like ‘logging’ seem very binary. What about default logging = no except if FQDN = malware C&C, in which case yes (to support notifying the end user of infection)?

From: Add <add-bounces@ietf.org> on behalf of tirumal reddy <kondtir@gmail.com>
Date: Monday, May 27, 2019 at 9:12 AM
To: Jim Reid <jim@rfc1035.com>
Cc: ADD Mailing list <add@ietf.org>
Subject: Re: [Add] publication of DoH Resolver policies

On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>> wrote:
On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>> wrote:
>
> If the DOH server provided by the network offers the same level of privacy preserving data policy as the DOH server pre-configured in the browser, Why shouldn't the browser use the network provided DOH server ?

How could the browser tell that both DoH servers have the same policy?

How does the browser (or anything else for that matter) know what some arbitrary DoH server’s privacy preserving data policy is? Where will this be documented and published in a way that a web-based application or the end user can understand and then make an informed choice?

https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-dprive-bootstrap-dns-server-03%23section-10&data=02%7C01%7Calister.winfield%40sky.uk%7Cd36e8632ef774a63e75608d6e383483f%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636946550340220810&sdata=8%2Fkda0%2B9qoR%2FljDojoEKu%2FGQpol%2BhJl0PtuIwASKPUY%3D&reserved=0> defines a new privacy certificate extension that identifies the privacy preserving data policy of the DNS server, it is in a machine-parsable format.


Now rinse and repeat that for other server-side policies: data retention, GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware, etc, etc.

Oh, and if some DoH server says “I do QNAME minimisation” (say), does the browser or end user simply take that on trust or would they somehow be expected to verify that for themselves?

End user typically does not trust DOH server in a untrusted network (e.g. public WiFi network) and may only use the DOH server provided by trusted network (e.g. Enterprise, Secure home networks), similar to the way users disable VPN connection in specific networks and enable VPN connection by
default in other networks for privacy. In addition, the privacy extension includes a URL that points to the security assessment report of the DNS server by a third party auditor.

Cheers,
-Tiru
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email