Re: [Add] fixing coffee shop brokenness with DoH

<chris.box@bt.com> Thu, 25 July 2019 02:38 UTC

Return-Path: <chris.box@bt.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E401200DB for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 19:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stD_yv0Q3-hr for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 19:38:09 -0700 (PDT)
Received: from smtpe1.intersmtp.com (smtpe1.intersmtp.com [213.121.35.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F1A120090 for <add@ietf.org>; Wed, 24 Jul 2019 19:38:09 -0700 (PDT)
Received: from tpw09926dag15e.domain1.systemhost.net (10.9.212.15) by BWP09926080.bt.com (10.36.82.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 25 Jul 2019 03:38:05 +0100
Received: from tpw09926dag08h.domain1.systemhost.net (10.9.202.47) by tpw09926dag15e.domain1.systemhost.net (10.9.212.15) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 25 Jul 2019 03:38:06 +0100
Received: from bwp09926082.bt.com (10.36.82.113) by tpw09926dag08h.domain1.systemhost.net (10.9.202.47) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 25 Jul 2019 03:38:06 +0100
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (104.47.21.55) by smtpe1.intersmtp.com (10.36.82.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 25 Jul 2019 03:38:05 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k29aJitWIzFFC1kX+3Kv/6GcgmErKoFnpXEuU++zr6xwtb8JiAJ2Ri6Du41rDaklRv7DgoaSIrVM3G53Edm/xsRKiWgXmj5lVdGQARr5hHVZf/WK2L2kD76UCECDbA4q1wQiJSEv/Uw7TXwjs9jRc41/c6bzxJbLDTaWqH7/37H/72xi68Iaol8Q+BojXHehoX81EESWS29YIdeVE+WxMPFuZ33cuFlEVJg4t507pMCs6a3Uiqg8WeFDlsDRMUKTrnTtLH4YRa0zCD0nycscLapyKhaOvIkW6dQQmLSMu3HX2qp9P1PH+Gcbv58PHNMMjo979uFFeANcgfuUBRfk0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CJNcsLzmPfCcSewpCmXwXnbxWcX2Ye/K5HG0MKVxeZA=; b=JLJ3pi+/H2ARQJxYo+cO+P2DYw6ORK3gqay5PBuowFHbYL2ctvDaGlAJQ9Azwh/2wpwOZ7f3I1zEBcOhkpMTqrPW9ZjMG7vA+/KqttYWR7sbkSP8uIPnjKpU10eimZlvCAHlKWMDro5UirOjqqw30Cjyb1pgOL/+F6ssg7FajcY1sNNwnNXTM83Le/JpgMsLahqePjM8f9GodfcRDBpJL4DY36K8np//W+K5EAuxPi92YbJCD8qQmHIXuwKerXKL6mYFBhpwad3hs80bBcGYGTyxksK7SMuxq6PnoG7gKQwbo92UTjYnTkEC0P4AT5AImwMduCju9H3HlekDIhnzaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=bt.com;dmarc=pass action=none header.from=bt.com;dkim=pass header.d=bt.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bt.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CJNcsLzmPfCcSewpCmXwXnbxWcX2Ye/K5HG0MKVxeZA=; b=dzkB3JVYyO8lQUqHa+pPppdSLzxpvXPbJhmJiBOZ3S/5lBjbY05EMrUDDXUDJAb52rTnAGzDhHO1M3/j3nFy7Fe2MDI4fTvQvrlXc3Z3Wi//FN+QrD0R/XLkoq1yeFum61vPUZuOnswr26ByuFYIJYB24VB6i1uHQdihbG7jL78=
Received: from LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM (20.176.158.15) by LO2P123MB2288.GBRP123.PROD.OUTLOOK.COM (20.176.157.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Thu, 25 Jul 2019 02:38:05 +0000
Received: from LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM ([fe80::4061:47b7:52f1:6836]) by LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM ([fe80::4061:47b7:52f1:6836%3]) with mapi id 15.20.2115.005; Thu, 25 Jul 2019 02:38:05 +0000
From: chris.box@bt.com
To: add@ietf.org
Thread-Topic: [Add] fixing coffee shop brokenness with DoH
Thread-Index: AQHVQcJI+jqXeCJLjU2M+OG81Si+56bZBa+AgAACZgCAAADiAIAAAcuAgACEL4CAABWygIAAyjSAgAAsRQCAAAO34A==
Date: Thu, 25 Jul 2019 02:38:05 +0000
Message-ID: <LO2P123MB2256EB5193EF6D66B167EF959BC10@LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CAChr6SzvUZS4Ru_SttiZgWtjwBuLrzc_fdewq9w-Ts+Rq_oNHw@mail.gmail.com> <9E8BD2C4-D750-4B8C-BA34-AC4425F2951D@gmail.com> <CAChr6Szo+1x6BnU2XH2A0o7CTQrQhFVPYezR7KQVLw-nWToULg@mail.gmail.com> <MN2PR21MB12134C6B57220E1B8BF5C811FAC60@MN2PR21MB1213.namprd21.prod.outlook.com> <CABtrr-Ue6rAom3ubJc_tPbn37T8HPGPabzX=CxT9UmiicbUtXQ@mail.gmail.com> <LO2P123MB22569D3F3476B913EDC8F8D69BC60@LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM> <CAChr6SxV1s-6zzLw+W=QO6qZ3RcCDhR+PG0bUP4d_q+9_gOHTA@mail.gmail.com> <CAH1iCir=fbFP=Qgkrnxjdj=ASMVQ6SaBzh3Kr0D_viwQK5h8Vw@mail.gmail.com>
In-Reply-To: <CAH1iCir=fbFP=Qgkrnxjdj=ASMVQ6SaBzh3Kr0D_viwQK5h8Vw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=chris.box@bt.com;
x-originating-ip: [2001:67c:1232:144:1152:6a76:9cd5:4223]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: be88e639-4dec-46fd-ac97-08d710a91f14
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2P123MB2288;
x-ms-traffictypediagnostic: LO2P123MB2288:
x-microsoft-antispam-prvs: <LO2P123MB2288DA7659971366F08706A39BC10@LO2P123MB2288.GBRP123.PROD.OUTLOOK.COM>
x-antispam-2: 1
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(396003)(346002)(366004)(376002)(189003)(199004)(66946007)(6506007)(53546011)(102836004)(4744005)(53936002)(7736002)(74316002)(66574012)(99286004)(186003)(25786009)(55016002)(46003)(9686003)(6306002)(8936002)(476003)(446003)(6246003)(486006)(68736007)(33656002)(81156014)(76116006)(81166006)(66476007)(66556008)(66446008)(561944003)(1730700003)(5640700003)(54896002)(7696005)(76176011)(790700001)(6116002)(256004)(8676002)(2351001)(2906002)(316002)(71190400001)(2501003)(6916009)(64756008)(86362001)(229853002)(478600001)(14454004)(5660300002)(11346002)(52536014)(6436002)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2P123MB2288; H:LO2P123MB2256.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: bt.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: wufn5+Y+c5QNwX++kkF0pGJdbeXTUCUx0C5PZ7sjTcpBk9HgBWn+J5bxjQnwqWfO26TlfUqgqD7pmln0L5yGfvKh0H8k2yAvBoWR9GYocdk7N65tVksqN26rXkYBsUkbpQjSG7v3DfW3Jl2a0ge3+NCcc32ZrSwRS1DouRkiNnM10ocEMWWl8UV+TyVc0UQ89WaP8UU/rdMHe7TflvvHcAZ1z/JktEfYc73l0wZejpdalcHWlNW3OshrF4Qw8OgNcqMc184cdIH5deAo7N3oSRBQxPAaJya3ierJlcw4SZAEKvPcjvqVrzh3iddysMyMnIAI9FimQgBP/G9OPCLdQcJSowB1z1eocS+YBgm1+jfk35YROFthnTxGGU6Yi0JeYBRCuVULv1I/w4dMoJSLpYsxikZkMyQlmso3Kkg3WXc=
Content-Type: multipart/alternative; boundary="_000_LO2P123MB2256EB5193EF6D66B167EF959BC10LO2P123MB2256GBRP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: be88e639-4dec-46fd-ac97-08d710a91f14
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 02:38:05.1241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a7f35688-9c00-4d5e-ba41-29f146377ab0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: chris.box@bt.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB2288
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0.6
X-NAI-Spam-Report: 4 Rules triggered * 0.6 -- TS_MSG_REP_20 * 0 -- EDT_SDHA_ADR_FRG * 0 -- EDT_SDHA_DMN_FRG * 0 -- RV6597
X-NAI-Spam-Version: 2.2.0.9309 : core <6597> : inlines <7126> : streams <1828339> : uri <2872237>
X-OriginatorOrg: bt.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ZyFODiCyQ9sOHHGRTIPTCZq08fw>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 02:38:13 -0000

This proposal has a lot going for it: no fragmentation of DNS configuration at the app level, just one lot of settings in the client device’s caching forwarder, with secure transport outside the device, and full validation.

Seems like a good start.

From: Brian Dickson <brian.peter.dickson@gmail.com>
Sent: 24 July 2019 22:19
To: Rob Sayre <sayrer@gmail.com>
Cc: Box,C,Chris,TLW1 R <chris.box@bt.com>; add@ietf.org
Subject: Re: [Add] fixing coffee shop brokenness with DoH

[snip]

browser <-> (local/internal loopback-type interface) <-> caching DNS forwarder <-> (DoT) <-> {enterprise | home | public} full recursive resolver
And the browser would speak native DNS, with DNSSEC validation, DANE support (natively, not plug-in), HTTPSSVC, CNAME/DNAME following, etc.
The caching DNS forwarder would have all the same stuff plus DNS cookies, not do fragmentation, and potentially have multiple full resolvers configured in a structured priority flow (not just round robin).