IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Valentin Gosu <valentin.gosu@gmail.com> Thu, 11 April 2019 09:04 UTC

Return-Path: <valentin.gosu@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75CD4120149 for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRvY895frdMN for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:04:43 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3CB1200FC for <add@ietf.org>; Thu, 11 Apr 2019 02:04:43 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id x3so4673238iol.10 for <add@ietf.org>; Thu, 11 Apr 2019 02:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZaEQe6sMwhuAqimKvI44HHeNTVQJELN8qxpHTMtL++Y=; b=HPIo/KLqXHc0CrTFHM/Gje1AC75r1Z1st1+vu36tCCKDC6Dqjd9Puo63c0MpLUoSvf 5bR2soGmCnBZrTu0CWfSWM5S2osjWgDR4h001SkmytWKWEG6OWVZ5WYn6F1ew+ElCvsD Ba2s6/EkE5EpZuD8EvRaSE32h3nMEky9jb6qvmD97pcriFaWENdD8iEaBq8Cv6oOF6x+ dG8bQkHVnuiBgzdgdc5cxi1feyTff6vf9Rx0oRuQkFfdNAnUEa86P1huPBl+ovj+A1wG N2BTk/CXS3MiEcU3TAj6Ud205rB4v+F1MvJD1B1bRjIMeowXnhZ81Zg3bHbIxMg5gftW tFrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZaEQe6sMwhuAqimKvI44HHeNTVQJELN8qxpHTMtL++Y=; b=Zhi6clNkeBvyTtnOAF/brPOJbdRXSjhTdQ8des81I4xpsiKk4S/qS767Mpv6f7ILZ0 axvIPEY2LhsDmo2+AKaXDQpi3X1SeH8FCEFeezbe8/Q2/nSRJxPVptVLxQywPs9sWcFq m7CpSH0PxcggsLh5o+spicse4c0A8SivX/xUZ4C26nOC2G6IMF5eRrzlYchYEDooGVc7 SHzuJMfbC5mKokmdKQOq8rWFz0PoiyjJzbublHPy/E6/iTZvAP3OE4ZnHEh/KGP/aDOf EWxSUkDWzAUruVwLeeDuaNynCohCJ2654DK2Lo+Xmz0C006VR0VfJ09tKD/XHS2NZVSl KKiA==
X-Gm-Message-State: APjAAAWfF7CK5zTNpYlAwHj+aW9dW/HWk2nT0bUDQ5snjp3gRmX6qhiq Kgwvw3xSIOkoTXQDHKBA8D8Ms7htFa4wxpMxMrrpVCDHXnx2rA==
X-Google-Smtp-Source: APXvYqzznzd9KkZ7X9aKQZkYlrxjd9Gp4ZEpR7ig7IKq317YS43hqo9wmZfZaG7S1OoiomgINfFSlI8818Dv28H3V/c=
X-Received: by 2002:a6b:d913:: with SMTP id r19mr18920514ioc.76.1554973482492; Thu, 11 Apr 2019 02:04:42 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de>
In-Reply-To: <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de>
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Thu, 11 Apr 2019 11:04:31 +0200
Message-ID: <CACQYfiJa1i2LVgQDcHi_OknmDDKZiaw=++Y6imn34LcPULP3bQ@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: Martin Thomson <mt@lowentropy.net>, add@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000f27ff05863d7a85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/uEy_6esm6AlPHZh0DIIYRTBdimc>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 09:04:45 -0000

On Thu, 11 Apr 2019 at 10:59, Ralf Weber <dns@fl1ger.de> wrote:

> Moin!
>
> On 11 Apr 2019, at 5:12, Martin Thomson wrote:
> > We don't believe that DNSSEC is essential to our primary goals, which
> > are improving privacy of browsing activity.  As a browser, we can't
> > condition our behaviour on whether DNSSEC was present and valid for a
> > variety of reasons (some of which we might discuss separately), but we
> > do value resolvers that perform DNSSEC validation.
> So why not make DNSSEC validation in the resolver a requirement? It
> doesn’t interfere with local policy and offers significant benefits
> for the user. Validation in the client would be nicer, but requiring it
> in the resolver is a good first step.
>

Because at the moment a DNSSEC failure response from the DoH server is
identical to an NXDOMAIN response, which causes us to fallback to regular
DNS anyway.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1525854

v2.23.0 | Report a Bug | By Email