IETF Logo Mail Archive

Re: [dispatch] Working Group Proposal: DNS Over HTTPS

"John R Levine" <johnl@taugh.com> Thu, 10 August 2017 19:48 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B92132430 for <dispatch@ietfa.amsl.com>; Thu, 10 Aug 2017 12:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=iecc.com header.b=Mwi1nWXo; dkim=neutral reason="invalid (public key: not available)" header.d=taugh.com header.b=vOHzUXox
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlKMyquh7Iuu for <dispatch@ietfa.amsl.com>; Thu, 10 Aug 2017 12:48:52 -0700 (PDT)
Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCA7B132359 for <dispatch@ietf.org>; Thu, 10 Aug 2017 12:48:51 -0700 (PDT)
Received: (qmail 67105 invoked from network); 10 Aug 2017 19:48:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1061f.598cb8a3.k1707; bh=NUhp/Jyq+dqDYhnDdCjMf/Z9YRaT1sraPG65iiqLL4Q=; b=Mwi1nWXoNfOAj0N1YEg3Sik6RAnPtqJovW6QcsPjfsY9wWEYA3iuzTQKCyJCfUMO1Jwr2L2tZF9qUJ1WdhPSPgU+DKYalL+cVl+JnKfyPqqM+imS3hQt9t6ub04/MCNfAA+K3ttoI7Td5ox/vlfwbuZzbdkPUqaSL4JJvrOLQOKZTr14npKIVa0A0A3d2PSTlAZn7oeSMXHX2g2AEmY9jFI5nPzJfnwDXTUz0YhYVbsY5ERaq070/qULq4LEqb/u
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1061f.598cb8a3.k1707; bh=NUhp/Jyq+dqDYhnDdCjMf/Z9YRaT1sraPG65iiqLL4Q=; b=vOHzUXoxXpjO1f5gDVhcWW0DctMaOcClxGRiERmgbLbEY70qcYB/bmJhv/RNBB6L6GOZWgjFOhpDLgzikoOur3tWx4Ek8XHHJbEf9qyOXcUq8SP3EGP9rqFkL5rODvSqQCm3ofJ/Jm5s9rUnGqy1cOL1LHQHwlSdf0nd7LJpOIQubYGdo6BjKvW7QWWkZLP1DAAX+30or8Y7tApt+5iTz1pjb7Dq1u/X8uOiXaLX2/E8LTyrp40V0HvAP3YKnBrx
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 10 Aug 2017 19:48:50 -0000
Date: Thu, 10 Aug 2017 15:48:50 -0400
Message-ID: <alpine.OSX.2.21.1708101544040.37303@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Dispatch WG <dispatch@ietf.org>
In-Reply-To: <3d53edbf-2d56-5972-5ce7-bc82f6d82960@cs.tcd.ie>
References: <20170810160035.9804.qmail@ary.lan> <305d8c08-ce2d-8e4e-5293-c5c3abb5256b@cs.tcd.ie> <alpine.OSX.2.21.1708101427390.37126@ary.qy> <3d53edbf-2d56-5972-5ce7-bc82f6d82960@cs.tcd.ie>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/mR82nQg-DdF5oSV1l5BFntR7kBM>
Subject: Re: [dispatch] Working Group Proposal: DNS Over HTTPS
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2017 19:48:53 -0000

On Thu, 10 Aug 2017, Stephen Farrell wrote:
>> do, this is not a way to patch a browser's DNS lookup code.
>
> I don't know what you mean by that last tbh.

Browsers do their own DNS lookups in the usual way.  This proposal does 
not change that in the least.

> The problem I'm trying to describe is touched on in the
> last para of the draft's security considerations.

Oh, that.  The client is the javascript application, not the browser 
inside which it's running.

Re CORS, a normal javascript app can only call back to servers in the same 
domain, so any evil due to DNS over http will be coming from the equally 
evil server that provided the javascript code in the first place.  I 
suppose CORS lets it talk to other differently evil places, but this 
doesn't impress me as an interestingly new problem.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email