Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

Andrew Campling <andrew.campling@419.consulting> Fri, 09 October 2020 08:04 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A3043A0EA2 for <dns-privacy@ietfa.amsl.com>; Fri, 9 Oct 2020 01:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAHmuhSIpwxS for <dns-privacy@ietfa.amsl.com>; Fri, 9 Oct 2020 01:04:56 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100044.outbound.protection.outlook.com [40.107.10.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ABC53A0DE9 for <dns-privacy@ietf.org>; Fri, 9 Oct 2020 01:04:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NxCyBPJUGj1IUdso5UAObaNq3Pd4OP4NEJVynuD2IRVFyh0ZaluikDf/g6m2otmMApzdAGrxyPfV+70YDIRSk6x3Zicnu2JIuogjY/X8zNSDPT1ZsqaZCu03JZcRt34EhnXl7X/3YKWms149qh4218Gd6k+bUlWFN5E0mmbMuTeB6bpHxlQSK14kAGUaHRxA27RC7hnpVyaTfLk4C/XP552c9m0q59O8FAvMXsJ+0Ikium1VXIMPzLwmTz8yCYj7Pw7PRQUj9CHts9lW31iEBvSR/njlm8mH6RXWBAkBl0uZuNb8i+z/l+PIzllp+NXZCxpc2WdLZqJGL4DhdV8qEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zi/+mjMtsvgd95rw6AE27NDT1dPweHHQ9w3GiIwR1VA=; b=FKfdVwegkJC9TwEqy6PRqx5F594Ih26Hc/ccZbCXOytboW6OfrqvxTRllZqwCZf/lsMvceCkC/v07itgyXxjmjTB/sTFQGaSzvskHBnU/tRL3DGSWlkom2mU0FiofCzmKeOf97OoAV2XGiaVXRpvVZgxPmUX8J560lv7k57jKYkEI9gtM2dAaSTcpjoTPOHvw2v0qTBQRkyMIBMUTVqo/driPN8gpoxxvhGKTe0MZQ2XxqI97m6IqpPZyKuGt+QXbSHbyFqJKlV5zJcZ1mR88fzFHauXXwh6vejPlbsVtSIQkhjGIdghAWCCpoYcXAXUBhREojlvg0DtUWQ+AVxn0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zi/+mjMtsvgd95rw6AE27NDT1dPweHHQ9w3GiIwR1VA=; b=JV4y9FtgEqQGgNmVr28oQ/ut/02rvyrxivZhmcOV+qSFt96yMro31a5sa3xNbwlsD1DIYV/fPGB0Iv67Sm+Sxfu7omGT0wENT5x7KQsNDAvusNDeeAsOpSftxfde0EA3dn7TCpVLjVD7TScx165UNs1Rym0mqoJQffk7Yhmdblg=
Received: from CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:b::21) by CWXP265MB0518.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:7::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Fri, 9 Oct 2020 08:04:46 +0000
Received: from CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM ([fe80::c510:4f51:f79f:b3da]) by CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM ([fe80::c510:4f51:f79f:b3da%5]) with mapi id 15.20.3433.045; Fri, 9 Oct 2020 08:04:46 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Eric Orth <ericorth@google.com>, "Vinny Parla (vparla)" <vparla=40cisco.com@dmarc.ietf.org>
CC: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, James <james.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
Thread-Index: AdabLJ2GPjqR+/akTMiZMRHmFMQKNKmNX+pg1ndRtwCAAA0sgP/+87+w
Date: Fri, 9 Oct 2020 08:04:46 +0000
Message-ID: <CWXP265MB056674BB1E637A04AE2E8860C2080@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM>
References: <MN2PR11MB47604813E0DC2DDA0E297A36D80C0@MN2PR11MB4760.namprd11.prod.outlook.com> <CAO+dDxn1J2bOz1b8iPKbUnYLTFhSLJRhx9Od5hAHpP3TSkp7yQ@mail.gmail.com> <C276A52C-DCBA-4920-95E1-FAF2D3881D0B@apple.com> <MN2PR11MB476044BA6BD5D47C8088D434D80A0@MN2PR11MB4760.namprd11.prod.outlook.com> <LO2P265MB0573F65FD0DC18B528FD3282C20B0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <MN2PR11MB47604811528E52E2ED48E41AD80B0@MN2PR11MB4760.namprd11.prod.outlook.com> <CAMOjQcEnhjh_VzQeTFRk6mAF9c8P_i9NMO8S3oMZBv4f81RHew@mail.gmail.com>
In-Reply-To: <CAMOjQcEnhjh_VzQeTFRk6mAF9c8P_i9NMO8S3oMZBv4f81RHew@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=419.consulting;
x-originating-ip: [81.141.77.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e1e7ac6e-7460-42bb-31aa-08d86c29fcba
x-ms-traffictypediagnostic: CWXP265MB0518:
x-microsoft-antispam-prvs: <CWXP265MB05181F61B661C9C86318846CC2080@CWXP265MB0518.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: md1kJoAdeRKUBGNaS2wJZW0hNRCncYq4ryQg8D98zkNnJ7M1QggEhbCcWpfUrl5ZCREzoBLPgjwWKChfWKihKYi7HmpsCYemTQYv2cnVjvkQ3Th/MdVJhESCAkMCN/a2he2JTdmxvOQBpcYWaNXwWrUHjMlJyjgrzxWg1jxStckJIUz1bc8pYv864MalApWXT2+5N6AeKCLHpGSBjCgOl0bx8tlSjkQ4f8IAjz2nEeM/xvGhn5xOE2GXYAHUt8TAZMqHOS5XZlJfNnoNJjyLIux6snm6ntkHqWXmiaAhuMbAcXfIl5ucUzOBNKG9VNFocdIe6xdHiw2nf736sbFc9f0XCKU9x6jnQgAwfRwYT+bf7agR5yQALy9301oHcNwE4uc4jaOK8JoB5WR9aU+BRvAAuQjbmr+XjSFPXyaX+mamSuTwqa4g31V1qDUOGDnj549bhIlsCGHqf/X2+k9f2A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(346002)(376002)(39830400003)(136003)(396003)(7696005)(5660300002)(8676002)(44832011)(26005)(64756008)(66946007)(66476007)(66446008)(66556008)(9686003)(76116006)(66574015)(186003)(4326008)(83380400001)(2906002)(52536014)(8936002)(83080400001)(71200400001)(55016002)(33656002)(6506007)(54906003)(53546011)(110136005)(316002)(966005)(86362001)(478600001)(166002)(46492008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cQS+RA4KssPgAU+fTRTIPD1gfic2m3o40oQO1v/DtIEx8p7WNEF9phOLWWALOvODJDLJ3i+F66akgHZF+pqYM39lI9KxNIxdeMOmiCpyNaoYm3UJ8fjUOF9kkm+3VX6jnbMcU0ZrculAonxl9JzXPVruZBX2K1kmeP6V76pd+EhcUoo4yvln8juWB0z+Rq1GCme1W3at+xNRLrlNiDky4uY//Jl3iK91eTNPS6rqYFhxxomb1Pcxh5VH+k+Y2PSfDjLopiShYPoh1tQSp+qjjGD8YMbfMcRjegIEGkyemoAtPKMHsQNY6iSE3wo99XaCFIiJ6E6fG/gE/iu+zGSReqfwbT2DBl9kiBr4aiUMEFsx6pn3M03JXCXB5Y0WwZgmQVqY4qia+WNpYE+BigCqAYTsQFlsgjaJHW047ZAQWXYEI29k9t4lM80TJK+jzd1Sd94TqFQ4wxHso0b/KDO9pUU8F20SMl3B6mBLLagvxle+iEMxqFFOd+jMKWI9b3QjcHBikjd9BmyadEPaRiDVN1PssqBnNqfX8lQEnQpbdnl98n1m/+yHxHTJ23fneTHpjtxHb7vQCSZuy2t4KvZPz9S0j6aJ4NLDUWEkrur8688o1yM1tqT/TGxBRoba3k8RwJZdMiGXN15XsKKBPm30+w==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CWXP265MB056674BB1E637A04AE2E8860C2080CWXP265MB0566GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e1e7ac6e-7460-42bb-31aa-08d86c29fcba
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2020 08:04:46.1795 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: V93MybcCe7yOUUHTWK4J451eoZ/KpZYIIm71WCKw5UC9VVD0DLXa6nZBQV3S1PbNgd6byvIMuTbg25mCJ2drzY0yJbJU/HvJu+wmbZgqQ04=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP265MB0518
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zwm_3UbtTRxUk8LMHSVtZxNVvg0>
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 08:05:02 -0000

This seems like a great example of best practice.  I wonder though whether it highlights a weakness in the protocol design if it is necessary to rely on goodwill by developers in order to protect the privacy of end users?  Perhaps future developments would take a different path, guided by the policy recently set out by the IAB in RFC8890.

Andrew

From: Eric Orth <ericorth@google.com>
Sent: 08 October 2020 17:00
To: Vinny Parla (vparla) <vparla=40cisco.com@dmarc.ietf.org>
Cc: Andrew Campling <andrew.campling@419.consulting>ng>; Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>rg>; James <james.ietf@gmail.com>om>; dns-privacy@ietf.org
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

For Chrome, we're currently taking some steps to ensure connection separation between DoH requests and normal content requests.  More specifically, we currently disallow DoH requests from sharing a connection with any requests that are not also blocked from sending or receiving cookies (as are the DoH requests), and we're considering further completely blocking DoH requests from sharing connections with non-DoH.  Primary motivation is privacy.  If DNS is multiplexed up with cookie-containing (or otherwise user-identifying) requests, makes it too easy for even an attempting-to-be-anonymous DNS service to accidentally log requests correlated up with user identity.

Plans may change in the future as we discover more usecases and if these scenarios become more relevant with some of the ADD proposals around domains designating preferred resolvers, but at least for now, I would anticipate Chrome DNS requests always staying at least somewhat separated from Chrome content requests.

On Thu, Oct 8, 2020 at 11:13 AM Vinny Parla (vparla) <vparla=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
Hi Andrew,

I agree with your view and am not in favor of aggregating Content and DNS together, although I can see arguments for doing this.
I am just wondering if Browser implementors have plans to do this in the future as I need to deal with both OS DNS and Browser (app) DNS scenarios.

From Tommy’s response I am hopeful the OS implementors won’t do this in the future and will keep DNS an independent mechanism.

-Vinny

From: Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>>
Sent: Thursday, October 8, 2020 4:33 AM
To: Vinny Parla (vparla) <vparla@cisco.com<mailto:vparla@cisco.com>>; Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:40apple.com@dmarc.ietf.org>>; James <james.ietf@gmail.com<mailto:james.ietf@gmail.com>>
Cc: dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
Subject: RE: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

Important though browsers are for some, DNS is an Internet protocol and needs to work for a wide range of devices and clients.  Mandating its absorption into a multiplexed stream via HTTP/3 seems unnecessary, irrespective of the potential performance gains and other possible benefits for web clients.

Andrew

From: Vinny Parla (vparla) <vparla@cisco.com<mailto:vparla@cisco.com>>
Sent: 07 October 2020 15:40
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:tpauly=40apple.com@dmarc.ietf.org>>; James <james.ietf@gmail.com<mailto:james.ietf@gmail.com>>
Cc: dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

Hi,

What I am driving at in my original question is do we envision mixing Content and DNS together in a multiplexed session or will DNS continue to be an entirely independent channel (whether over HTTP/2 /3 Do53 DoQ DoH).

-Vinny

From: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:tpauly=40apple.com@dmarc.ietf.org>>
Sent: Wednesday, October 7, 2020 9:23 AM
To: James <james.ietf@gmail.com<mailto:james.ietf@gmail.com>>
Cc: Vinny Parla (vparla) <vparla@cisco.com<mailto:vparla@cisco.com>>; dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

Can you cite this claim about DNS over HTTP/3? The per-query cost once an HTTP/3 connection is established should be minimal. If you’re taking into account all setup overhead for an HTTPS connection as a “per query” cost, that’s not representative of how DoH is reasonably used (and would be a issue with existing DoH).

Thanks,
Tommy

On Oct 6, 2020, at 2:03 PM, James <james.ietf@gmail.com<mailto:james.ietf@gmail.com>> wrote:

My most recent observations of discussions around DNS over QUIC and HTTP/3 was that some folks had attempted DNS over HTTP/3, however the overheads (~14KiB for a query at worst-case) made it impractical and infeasible. With regards to DNS over QUIC, the current dprive working group adopted draft [1] is focusing on stub to recursive, but not necessarily as a multiplex with an existing QUIC connection.

- J

1: https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-00

On Mon, 5 Oct 2020 at 17:31, Vinny Parla (vparla) <vparla=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
Hi,

It was suggested that I ask this question on the 3 lists:

Now that QUIC & HTTP/3 is imminent…

I would like to know what the opinion is of the community on the long term view of DNS.
Would DNS remain an independent channel or would it be subsumed in a multiplexed stream via HTTP/3 in some future version?

For example, would a browser perform DNS queries over a QUIC multiplexed session?
 (e.g. similar to how today an http proxy can perform DNS queries on behalf of the client using that proxy)

Would love to hear from implementors what their long term view is of this in particular.

Thanks,

-Vinny

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy