IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Christian Huitema <huitema@huitema.net> Fri, 12 April 2019 22:16 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F601200C1 for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 15:16:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCtym4svxYWc for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 15:16:57 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DF7120086 for <add@ietf.org>; Fri, 12 Apr 2019 15:16:56 -0700 (PDT)
Received: from xsmtp03.mail2web.com ([168.144.250.223]) by mx105.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1hF4Tc-0004h0-Vd for add@ietf.org; Sat, 13 Apr 2019 00:16:55 +0200
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp03.mail2web.com with esmtp (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1hF4TV-00051s-3V for add@ietf.org; Fri, 12 Apr 2019 18:16:50 -0400
Received: (qmail 10891 invoked from network); 12 Apr 2019 22:16:41 -0000
Received: from unknown (HELO [192.168.1.101]) (Authenticated-user:_huitema@huitema.net@[172.56.42.204]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <stpeter@mozilla.com>; 12 Apr 2019 22:16:41 -0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <yblr2a651zv.fsf@w7.hardakers.net>
Date: Fri, 12 Apr 2019 15:16:39 -0700
Cc: Ted Hardie <ted.ietf@gmail.com>, Peter Saint-Andre <stpeter@mozilla.com>, add@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4203E588-C6CE-44AD-AB26-FDD9AEED587F@huitema.net>
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com> <CA+9kkMAobw2giYO=8pbLVi4ms0Ru+nYwhV5DGxLCwaUdX6EQyQ@mail.gmail.com> <yblv9zj5591.fsf@w7.hardakers.net> <CA+9kkMBMehkz3NbytL+vfDh+SwhW9At_q7oBL8a7XSEiSSrNwA@mail.gmail.com> <yblr2a651zv.fsf@w7.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Originating-IP: 168.144.250.223
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5heXGUEY33L3SuqRq/B1/dh602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO+ST6QJhH22IyI7Z98CXHvxVMZsRZacTbJPGp/MBC6Bx6aCbZ2c6nJLU4YlvYWJk6Eh5 mNm/WjPqhYqCeBiCKwwnRtk/d5gNfEtjtud5V8jp1xqbZLEGLaCXe0cUig+3Ox/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8l4YBmPrqPoeRXD34azf1rYZv5uZUEePrXZkexHL9EC3AAJAfA 9MMVcQ9WVjD1q+Rbd9IPG/DQ2p+GU04sTuYFs91jhnM/Mbva2XLV/LIEzaKyLm0zESXAkIAT8ZKA DvsGI5uh86ZVnyOrYkLMWyEaRt9fxN2oReTDHAyOynaY0CmHJLVH4DfVNbPXJmiLfub/IRFsicyJ MEhQFtD8PLoiniWmsFByBoXAuCZEyg59LM/9rUJrEbVA84BZVscMTXpbpuxXJTL417vaJWq5kk+j cuidX4Ts4xdG+C13IyWeZaJ+GOjRbZsGJKIJ8+QoGlarPwUimsNGvJJilSn4u6QSZOHA3oamIgMN OHVWe1RrhKws95DGoDQyh90npG6wuAU16Y3oZJdQ0WXQEIKhyt8GANo5bn0tFTz4SVUdCy2MVE6+ P+NMWgh0hdHFCOgNkMJ392PNDpgLsd6Ddd/s7VM53tGWQiV0zRVsA5SL7kYV1JnAMgFPp7+h3kLe NmBV53UGPtBAikk5O0PTvcKVfzYFZEUZc3yAwbnQZTJbzYvHN/xRXxKF5tPxTxfD0dMN+t5ZP6zO upSxHMPsAHfGhZAC/IAhemhJdBSJkER04dYNqSf7G3ch6MdB0XuALpEgtIRSdxZ/cxSnpMWdGZZ8 NIOHnN40eTXlWiUAYdLmsJdAoPJHNvQfAjIDptXbNSradnS0Zqm0mOdPl1LeUTNmkYtBTuxv0/1e /nzlq13wYTxncOSJHdsd+cwIgRT6euCWiMrA+4FHNKsiy9wMVtQ6ai8zTQ==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/W61e_5qeZWQHMwhc_7_SthJpFW8>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 22:16:59 -0000

 

> On Apr 12, 2019, at 2:48 PM, Wes Hardaker <wjhns1@hardakers.net> wrote:
> 
> But then you bring in the discussion of DNSSEC and authenticity, which
> is the only current way to ensure end-to-end data integrity and combine
> this with Martin's statement of
> 
>> We don't believe that DNSSEC is essential to our primary goals, which
>> are improving privacy of browsing activity.
> 
> Which clearly shows that between the above three, they're willing to
> sacrifice some level of authenticity to achieve better latency and
> privacy.  Note, though, that this choice isn't wrong.  It's a choice.  I
> may choose a different one, as may others.  And I'm more than sure my
> list above is incomplete from an ideological stand point; it just
> happens to be the three biggest I could think of.

On the other hand, DNSSEC does not guarantee authenticity either. It guarantees that the mappings of name to IP address is authentic, but that's not the same thing as guaranteeing that the connection actually terminates at the authentic end point. There could well be a NAT somewhere that translates the IP address and delivers the packets to a different server. See for example the many cases of rerouting 8.8.8.8 traffic to a different server.

On the web, authenticity is provided by the server identity verification built in TLS and used by HTTPS. Arguably, once you have HTTPS and authenticate the server, then DNSSEC does not provide any additional guarantee.

What DNSSEC provides is something else. If the name resolution points to the IP address of the wrong server, the TLS authentication will fail, and so will the connection. Falsified name resolution is thus a form of DOS attack, and DNSSEC protects against that. That's nice, but not essential.

Of course, DNSSEC is useful for other scenarios, such as retrieving keys. But these are not quite the main web scenarios.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email