Re: [Add] fixing coffee shop brokenness with DoH

Tony Finch <dot@dotat.at> Wed, 24 July 2019 14:53 UTC

Return-Path: <dot@dotat.at>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CAFF1200F4 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgxZat-1ndkj for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:53:02 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73EFD12006F for <add@ietf.org>; Wed, 24 Jul 2019 07:53:02 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:60576) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hqIdY-001BjM-eY (Exim 4.92) (return-path <dot@dotat.at>); Wed, 24 Jul 2019 15:53:00 +0100
Date: Wed, 24 Jul 2019 15:53:00 +0100
From: Tony Finch <dot@dotat.at>
To: Eric Rescorla <ekr@rtfm.com>
cc: Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
In-Reply-To: <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1907241547060.8471@grey.csi.cam.ac.uk>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rJ2fe6aceC6GUzzhP1rT2T4-tmw>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:53:04 -0000

Eric Rescorla <ekr@rtfm.com> wrote:
>
> DNSSEC does not address two security issues that we are concerned with:
>
> - Surveillance by actors on the user's network (including, perhaps, the
> recursive resolver)
>
> - Blocking by the recursive resolver.

Whether these are problems or benefits is extremely context-dependent. In
some situations they might be an attack when done without the consent of
the end user; in others they might be part of the security infrastructure
of a managed network that the user willingly trusts. An application cannot
tell the difference.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Hebrides, Bailey: Cyclonic 3 to 5, becoming variable 2, then east 3 to 5
later. Moderate. Showers. Good occasionally poor.