IETF Logo Mail Archive

Re: [Add] publication of DoH Resolver policies

tirumal reddy <kondtir@gmail.com> Wed, 29 May 2019 10:29 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282E912018B for <add@ietfa.amsl.com>; Wed, 29 May 2019 03:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJdD2ZXz4n9G for <add@ietfa.amsl.com>; Wed, 29 May 2019 03:29:38 -0700 (PDT)
Received: from mail-it1-x129.google.com (mail-it1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E22C12018C for <add@ietf.org>; Wed, 29 May 2019 03:29:38 -0700 (PDT)
Received: by mail-it1-x129.google.com with SMTP id m141so2843325ita.3 for <add@ietf.org>; Wed, 29 May 2019 03:29:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W2ADfjJI6zqXOspUgG4tdoT8tY5R7KW7b9vW6rjVVBg=; b=KtWTMSMzFF71igCEwvnT95Cs8CIKZz4G6VRzHP5TxmqSppSCuu0eiP3rf0hdPgYKss gT3/LRWisSTbvffFAs2QQSCVezm9QIjz5OegDSqhZ6MTDUioyzky9PaTGL6BjOKe8CoO tzoDtD9342zvMkalBGxpPFBc53nhK5YvJVy+/1a5mDyKhuT5rvLOJ6vn1UDYDKhU8CYo qoT1FEaqOUs9mJhIXA7MDLjnIqE/NH34lg+DuoUHwOCjuNMpy25n2kAlUsDM6hyzbnMx vaPQgsEen4lWxbGBzjlTtUID+GhQE/F/7OmosKycHecj55/DcskyK9IBe14/KtGOrVh/ emxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W2ADfjJI6zqXOspUgG4tdoT8tY5R7KW7b9vW6rjVVBg=; b=fKRny0HYVfcEAFPBKe3wzofj1YPvKD9IxHR3HTwycDOECQltw6rO8PlQFHzanbY44B dN7Sxt7VsPI3pIniyoYjVK2WAWf0YcCDKO7hNJJnFEtFAUxVp3yuVkcozXaBLb2GcIh7 lIUyk8/pED9Koy4LRHWQ4lfzooyDbrvsZHVw2e+Vw8MyeiwzTg5O+2IZsKyfSEEQcCeb kWRAEm/bhY+bcNyEB+JGwh5Nw4qe/Q7zk0ubSmOAEliKcLir7FWQkRyMGtZYBMDC7DCl DM58dVDxPt9XMbjq8sj5jvMZjm8z17ZWYW0jE6hrXZ3vVmJP0150uSY4InQar1sfWSAp kJEw==
X-Gm-Message-State: APjAAAU/Go8PAtotqgY9wZPCwK4KwanAder2N+L4wjiNdMD3ny5Gv9TO ue3m6LEUyj1E3vVA6ECeP/oUluzWNaQXysMXHjg=
X-Google-Smtp-Source: APXvYqzW4m7tpRcb/1PuIRXH6Kp9KyfIWIGw2e8wR+WDSdmVhChNyyGB2GAXd1lL17raE1rNM7/4MYUckR21z2lv0Og=
X-Received: by 2002:a24:1d8f:: with SMTP id 137mr1454305itj.66.1559125777088; Wed, 29 May 2019 03:29:37 -0700 (PDT)
MIME-Version: 1.0
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com> <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net> <525969024.22086.1558949269703@appsuite-gw1.open-xchange.com> <CAFpG3gdGpD+jpdChk4zeee+2Mh13mFuPK8kLxmx8DrRZYdy6pw@mail.gmail.com> <11C1E629-A2AE-468E-99B3-C2BBF9E4AE7C@rfc1035.com> <CAFpG3gdwBHoED-TXL3_2ksx-DPd7oRtaUD-FYyfz8yYvdw_Z8A@mail.gmail.com> <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com>
In-Reply-To: <254F5605-B346-4AE1-A1A3-6D27AB76B18F@cable.comcast.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 29 May 2019 15:59:24 +0530
Message-ID: <CAFpG3gcS56d9azBH9xtYSkdbLb203YDJz85N0bHKRy7f73B1xw@mail.gmail.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001a840b058a044286"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/vmu3Q0nAr5MLYELak2f1Jq6-nv0>
Subject: Re: [Add] publication of DoH Resolver policies
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 10:29:47 -0000

On Tue, 28 May 2019 at 21:13, Livingood, Jason <Jason_Livingood@comcast.com>
wrote:

> First – thanks for the pointer!
>
>
>
> Comment – things like ‘logging’ seem very binary. What about default
> logging = no except if FQDN = malware C&C, in which case yes (to support
> notifying the end user of infection)?
>

If access to malicious domains is logged, logging the client IP address to
notify the user is PII, and if client IP address is logged, it is either
stored in temporary or permanent logs.

Cheers,
-Tiru



>
> *From: *Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Date: *Monday, May 27, 2019 at 9:12 AM
> *To: *Jim Reid <jim@rfc1035.com>
> *Cc: *ADD Mailing list <add@ietf.org>
> *Subject: *Re: [Add] publication of DoH Resolver policies
>
>
>
> On Mon, 27 May 2019 at 16:53, Jim Reid <jim@rfc1035.com> wrote:
>
> On 27 May 2019, at 11:59, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > If the DOH server provided by the network offers the same level of
> privacy preserving data policy as the DOH server pre-configured in the
> browser, Why shouldn't the browser use the network provided DOH server ?
>
> How could the browser tell that both DoH servers have the same policy?
>
>
> How does the browser (or anything else for that matter) know what some
> arbitrary DoH server’s privacy preserving data policy is? Where will this
> be documented and published in a way that a web-based application or the
> end user can understand and then make an informed choice?
>
>
>
>
> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-03#section-10
> defines a new privacy certificate extension that identifies the privacy
> preserving data policy of the DNS server, it is in a machine-parsable
> format.
>
>
>
>
> Now rinse and repeat that for other server-side policies: data retention,
> GDPR compliance, DNS filtering/blocking, TLS session resumption, ECS
> behaviour, QNAME minimisation, NXDOMAIN rewriting, query-related adware,
> etc, etc.
>
> Oh, and if some DoH server says “I do QNAME minimisation” (say), does the
> browser or end user simply take that on trust or would they somehow be
> expected to verify that for themselves?
>
>
>
> End user typically does not trust DOH server in a untrusted network (e.g.
> public WiFi network) and may only use the DOH server provided by trusted
> network (e.g. Enterprise, Secure home networks), similar to the way users
> disable VPN connection in specific networks and enable VPN connection by
>
> default in other networks for privacy. In addition, the privacy extension
> includes a URL that points to the security assessment report of the DNS
> server by a third party auditor.
>
>
>
> Cheers,
>
> -Tiru
>

v2.23.0 | Report a Bug | By Email