Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
Neil Cook <neil.cook@noware.co.uk> Thu, 10 September 2020 11:09 UTC
Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C4703A0800 for <dns-privacy@ietfa.amsl.com>; Thu, 10 Sep 2020 04:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=noware.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIwTA67Boygd for <dns-privacy@ietfa.amsl.com>; Thu, 10 Sep 2020 04:09:42 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA943A07E5 for <dns-privacy@ietf.org>; Thu, 10 Sep 2020 04:09:41 -0700 (PDT)
Received: from [192.168.1.170] (unknown [109.156.119.142]) by mail.noware.co.uk (Postfix) with ESMTPSA id 49FB61D8381; Thu, 10 Sep 2020 11:07:04 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.noware.co.uk 49FB61D8381
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noware.co.uk; s=default; t=1599736024; bh=ynWGxxNBd1bXUOi4MCCxw7XibXcy6Ze9VnMSy2yc5Yo=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=K/h9Wsk2Ro9amdvl40HnlKhUZ4qLdInECZh2aYlLMbY9hIrfER22zBGHhZ3iV9GFD uRoBMuAIRY2d4iHjcNtwJgMZoXc6edeRyKIncr0qHaR6cQWm0y1HG11XBbKbVLG0ZX 7TSMACBt4s8Iw9aMUDmP1uuUJxwwDZY9dagv0uY8=
From: Neil Cook <neil.cook@noware.co.uk>
Message-Id: <C5CB1A2E-ED82-4F97-8CA6-E377B137C606@noware.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4FEA0397-6813-4434-8459-787B1DC08C86"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Thu, 10 Sep 2020 12:09:38 +0100
In-Reply-To: <CAHbrMsAbGci08qR+NL9Csdej_VFpfZxSdHXfwAM6azB-DryQQQ@mail.gmail.com>
Cc: Neil Cook <neil.cook=40noware.co.uk@dmarc.ietf.org>, "Winfield, Alister" <Alister.Winfield@sky.uk>, DNS Privacy Working Group <dns-privacy@ietf.org>
To: Ben Schwartz <bemasc@google.com>
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk> <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com> <3A9BCDDD-883D-470E-A547-79839149F8EE@sky.uk> <CAHbrMsDVZMNNhwqTUexRL3R=HoEfDTWsoXnr=bdTaWyTXV_=rw@mail.gmail.com> <C8137D01-5903-4CFA-A315-67D7012EC583@noware.co.uk> <CAHbrMsAbGci08qR+NL9Csdej_VFpfZxSdHXfwAM6azB-DryQQQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrudehjedgfeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffgkffnvefqqffmnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqnecuggftrfgrthhtvghrnhepjeeugfegvddtjeetkeeuueeigfdugfekjedufeekjedvveeftddvieduvdekleehnecukfhppedutdelrdduheeirdduudelrddugedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddtledrudehiedrudduledrudegvddphhgvlhhopegludelvddrudeikedruddrudejtdgnpdhmrghilhhfrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqpdhrtghpthhtohepsggvmhgrshgtsehgohhoghhlvgdrtghomhdprhgtphhtthhopehnvghilhdrtghoohhkpeegtdhnohifrghrvgdrtghordhukhesughmrghrtgdrihgvthhfrdhorhhgpdhrtghpthhtoheptehlihhsthgvrhdrhghinhhfihgvlhgusehskhihrdhukhdprhgtphhtthhopegunhhsqdhprhhivhgrtgihsehivghtfhdrohhrgh
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LasNaP4nbpDNS9yFUeLYH_8hD2o>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 11:09:43 -0000
> On 9 Sep 2020, at 17:53, Ben Schwartz <bemasc@google.com> wrote: > > > There are other reasons for wanting to do DoH in the CPE, such as performing DNS filtering on the CPE. > > This could equally be by client-specific logic on the central resolver, as demonstrated by NextDNS. > Agreed, and it’s being done by many folks, not just NextDNS (all large UK ISPs have had the capability do this for over 5 years, and it’s used by millions of consumers). > BTW I’d interested in how “client-specific logic at the central resolver” solves the connection count issue? > > It doesn't, but caching does, hence my conclusion that caching is the focus. I’m not sure I follow. The CPE could do no caching, and the central resolver would still benefit from the decreased connection count, just not a decreased query load. > > Also, the attacker has to have compromised an ISP-managed CPE, and that CPE still needs to be running on an ISP-managed network connection. > > Maybe. As Alister noted, in some models the subscriber can acquire a DV cert for the name without reaching inside the CPE. I think these are notional models - I’m not aware of any CPEs supporting a DoH forwarder currently. Certainly if it were to be done, securing the keying material would be extremely important. Neil
- [dns-privacy] Review request: draft-btw-dprive-rf… Brian Haberman
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Martin Thomson
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Rob Sayre
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy