Re: [Add] publication of DoH Resolver policies
"Livingood, Jason" <Jason_Livingood@comcast.com> Tue, 28 May 2019 15:43 UTC
Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4FBD120234 for <add@ietfa.amsl.com>; Tue, 28 May 2019 08:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSO7c3mdawTV for <add@ietfa.amsl.com>; Tue, 28 May 2019 08:43:38 -0700 (PDT)
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A191012017A for <add@ietf.org>; Tue, 28 May 2019 08:43:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1559058216; x=2422971816; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mUbDaCvF8OILHzwbUg+kwwjGLZg/63XuCg1vCM1zmgI=; b=qSAker3DvKqFKJI6xXkghUdJM5mVqXoQgqHprt6cfyaAgf23c3dPa5wc88tnjEpz yTEedJfDqvR2G3f5AI8RTkt8kzoRb3ZXHdRrAGDzPL29hugs6HWdvaNTvoeYoB/X glmd4TRYaqpo7hSbC8GC54tTRrmHi/BIeGVysVKp93cXyWxBtYaLGY8lDCbzxcPW klh2S7wT4l5pgvGMcl/poQwYbllBbCw9kYWSQjxxjytV6gKQKiYbAvZ/FsW4YfwQ mPmK5s8kYgKcxDzadP8A4Dt6zVgKyuhdQL8jIpKa2tftoZY9ZRmMy/Pfwi/MR3ig PqcoHJKdVaNefWRBbAxKDA==;
X-AuditID: 60729ed4-f1dff7000000add3-bf-5ced5720c1dd
Received: from COPDCEXC35.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id E1.0F.44499.0275DEC5; Tue, 28 May 2019 09:43:29 -0600 (MDT)
Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC35.cable.comcast.com (147.191.125.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Tue, 28 May 2019 11:43:27 -0400
Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1713.004; Tue, 28 May 2019 11:43:27 -0400
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: tirumal reddy <kondtir@gmail.com>, Jim Reid <jim@rfc1035.com>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] publication of DoH Resolver policies
Thread-Index: AQHVFH6zxAwDXyjgakumk62/WZupBaZ/NZuAgAF5loA=
Date: Tue, 28 May 2019 15:43:27 +0000
Message-ID: <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com>
In-Reply-To: <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
x-originating-ip: [68.87.29.7]
Content-Type: multipart/alternative; boundary="_000_254F5605B3464AE1A1A36D27AB76B18Fcablecomcastcom_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRmVeSWpSXmKPExsWSUDRnsq5i+NsYg147i/+n17FZnHuWYHFu 5RNmB2aPnbPusnssWfKTyeP01VfMAcxR4TZFqcWlSbmZJQrFqUVlmcmptkrJicVKdlwKGACo NCc1sTjVMbkkMz+vWB9DjY0+zDC7hPCMowdfMRXMi61YOPchUwPj1aguRk4OCQETiXdt99i7 GLk4hASOMEkcP/obymlhkti6+RwThHOaUWLm4lXsIC1sAmYSdxdeYQaxRQQcJXpufmMCsZkF lCVantwFiwsLmEvMnX+WEaLGQuLhn/msELaVxN1fS4BsDg4WAVWJBd3CIGFeAReJY/Pns0Hs esIsMWnFFrCZnAKBEkuOtbCA2IwCYhLfT62B2iUucevJfCaIFwQkluw5zwxhi0q8fPwPbJeo gL7Ej+032SDichJzX99jAdnLLJAusf2IBMReQYmTM5+wQJSISxw+soN1AqP4LCQbZiF0zELS ARHWlFi/Sx+iWlFiSvdDdghbQ6J1zlwo20pia89RNmQ1Cxg5VjHyWZrpGRqa6BmaWugZGRpt YgQnlHlXdjBenu5xiFGAg1GJhzcu6G2MEGtiWXFl7iFGCQ5mJRFe2ylvYoR4UxIrq1KL8uOL SnNSiw8xSnOwKInzOs17FiMkkJ5YkpqdmlqQWgSTZeLglGpgnNffe0xm7uaq5T8NFhefc16u 4jN9wXfB+uWRxxcELVrBl1vkcmFfSSLnNLWpN4OuvpoXH9W3dnf/3bPFx6O+vHlR9mC/9741 odNvrLxQM5Fl9p8c1o/WYas9K4VrvO7qVrP+Wnbk5PoJsQGGnw67tuZ/2MB+c9fkuMxWnp2S 7krH7hRa9Mt5WSmxFGckGmoxFxUnAgCAtudoJAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ixOiVoNrCg9Bv6V4HP-0YyhWUm4>
Subject: Re: [Add] publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 15:43:41 -0000
First – thanks for the pointer! Comment – things like ‘logging’ seem very binary. What about default logging = no except if FQDN = malware C&C, in which case yes (to support notifying the end user of infection)? From: Add <add-bounces@ietf.org> on behalf of tirumal reddy <kondtir@gmail.com> Date: Monday, May 27, 2019 at 9:12 AM To: Jim Reid <jim@rfc1035.com> Cc: ADD Mailing list <add@ietf.org> Subject: Re: [Add] publication of DoH Resolver policies On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>> wrote: On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>> wrote: > > If the DOH server provided by the network offers the same level of privacy preserving data policy as the DOH server pre-configured in the browser, Why shouldn't the browser use the network provided DOH server ? How could the browser tell that both DoH servers have the same policy? How does the browser (or anything else for that matter) know what some arbitrary DoH server’s privacy preserving data policy is? Where will this be documented and published in a way that a web-based application or the end user can understand and then make an informed choice? https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10 defines a new privacy certificate extension that identifies the privacy preserving data policy of the DNS server, it is in a machine-parsable format. Now rinse and repeat that for other server-side policies: data retention, GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware, etc, etc. Oh, and if some DoH server says “I do QNAME minimisation” (say), does the browser or end user simply take that on trust or would they somehow be expected to verify that for themselves? End user typically does not trust DOH server in a untrusted network (e.g. public WiFi network) and may only use the DOH server provided by trusted network (e.g. Enterprise, Secure home networks), similar to the way users disable VPN connection in specific networks and enable VPN connection by default in other networks for privacy. In addition, the privacy extension includes a URL that points to the security assessment report of the DNS server by a third party auditor. Cheers, -Tiru
- Re: [Add] Browser Administrative Authority Tom Ritter
- [Add] Browser Administrative Authority Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Adam Roach
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] Browser Administrative Authority Tom Ritter
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Melinda Shore
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Melinda Shore
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Erik Kline
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Christian Huitema
- Re: [Add] Browser Administrative Authority Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- [Add] publication of DoH Resolver policies Jim Reid
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Neil Cook
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] publication of DoH Resolver policies Livingood, Jason
- Re: [Add] publication of DoH Resolver policies Winfield, Alister
- Re: [Add] publication of DoH Resolver policies Petr Špaček
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… Winfield, Alister
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy
- Re: [Add] Browser Administrative Authority Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy