IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Paul Wouters <paul@nohats.ca> Wed, 10 April 2019 17:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F6B112061E for <add@ietfa.amsl.com>; Wed, 10 Apr 2019 10:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOCWtCe8GD2Z for <add@ietfa.amsl.com>; Wed, 10 Apr 2019 10:27:38 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5D1120611 for <add@ietf.org>; Wed, 10 Apr 2019 10:27:37 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44fWLt6m8szCwD; Wed, 10 Apr 2019 19:27:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1554917254; bh=ZD/s2OtExXb+oRs9bl1xPe4VOTKNqnDXr7YYGJhhEuc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=KfeNlF+ayzE98KO8efDhQXy2Tf7aWdNjQT+6cRNo6yFAkXkRkbKIPxt5ysy/5cFdK pMP8nPNpx2uAcrX8wcNRPCOlCaW0Fe/Vt50Ss3TJQZUa2Y05Q8Ymnr15e8iNXKU2pK 6t1gC6Fahin/HD6RBtaYIamapRUV3+1T+o7TUcvA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1BxfKIH0sllZ; Wed, 10 Apr 2019 19:27:32 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 10 Apr 2019 19:27:32 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5D7C039A620; Wed, 10 Apr 2019 13:27:31 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5D7C039A620
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3542F40D358A; Wed, 10 Apr 2019 13:27:31 -0400 (EDT)
Date: Wed, 10 Apr 2019 13:27:30 -0400
From: Paul Wouters <paul@nohats.ca>
To: nusenu <nusenu-lists@riseup.net>
cc: add@ietf.org
In-Reply-To: <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net>
Message-ID: <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca>
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/yuzCFLyiiV4PYNLdW2AjZhpNjoU>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 17:27:46 -0000

On Wed, 10 Apr 2019, nusenu wrote:

> Paul Hoffman wrote:
>> Of likely interest to this group:
>>    https://wiki.mozilla.org/Security/DOH-resolver-policy
>
> I'm surprised they don't include DNSSEC in their requirements
> for DoH server operators aiming to join their TRR program

Same here, although one can argue DNSSEC is just core standard DNS so
they do not need to mention it. Where as query minimalization is still
fairly new.

But especially because some people think DoH/DoT _replaces_ DNSSEC as
security method, it would be good for mozilla to clarify this. Of
course, that also opens them up to answering why they don't actively
support things possible with DNSSEC, such as TLSA support :P

Paul

v2.23.0 | Report a Bug | By Email