Re: [dns-privacy] New: draft-bertola-bcp-doh-clients

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

>     Il 10 marzo 2019 alle 16.44 Stephen Farrell < stephen.farrell@cs.tcd.ie mailto:stephen.farrell@cs.tcd.ie > ha scritto:
> 
> 
> 
>     Hiya,
> 
>     On 10/03/2019 14:55, Vittorio Bertola wrote:
> 
>         > >         Hello all,
> > 
> >         this new document has been allocated 10 minutes in the dprive agenda
> >         in Prague.
> > 
> >     >     I really hope someone's going to arrange one venue for these
>     discussions. Could be a bit of a mess otherwise between dprive,
>     doh, dnsops, suggested side meetings and the pivo club:-)
> 
I totally agree, and this is the first expected outcome. I am also wondering whether a side meeting in Prague would be useful, perhaps just focusing on this specific question.

> 
>     1. I don't think your characterisation of DNS n/w-selection
>     vs. application-selection is accurate. IIUC, what's actually
>     done by FF is that (if the user has explicitly turned on DoH)
>     then FF tries all the resolvers it knows about and figures
>     out which to use based on the results and timing it sees.
> 
Honestly, I understood it differently - at this point in time they are doing tests on whether their resolver performs better or worse than the system's one, but their announced model is that Firefox will adopt a DoH resolver (though it's unclear how it will be chosen) and it will just use that one. But if people from Mozilla could make a clearer announcement on what their plans currently are, that would be good. Still, most of the issues arise whenever an application, for whatever reason and under any mechanism, starts to use one or more resolvers different than the one set up in the operating system: even if it used more than one, you would still get many of the issues listed in the document (though, if it used more than one at the same time, I think you'd actually also get some new specific issues, so we'd need to add a discussion of this possibility).

>     2. I may have missed it, but where in your document is the
>     bit that says that applications and system libraries SHOULD
>     prefer DoT/DoH or similar over cleartext DNS?
> 
The document is a best practice for clients already having decided that they are going to use encrypted DNS protocols, much like the one by Sara and others is for operators already having decided to provide encrypted DNS resolvers. But I am of course in favour of such a recommendation, so I would be happy to add it on top, if we think that this is the right place.

>     (And maybe that
>     DNS operators SHOULD provide DoT/DoH services?)
> 
That one would be for a draft for DNS operators :-)

>     ISTM that
>     such a recommendation would be needed before you can really
>     ask applications (who've concluded that cleartext DNS is
>     undesirable) to follow the kind of recommendations you
>     describe.
> 
I think it also works the other way round: IMHO it is much easier to get consensus on the basic recommendation you describe above if you have additional recommendations that make a lot of people less nervous about the potentially damaging consequences of a mass switch to encrypted DNS. This is actually a motivation for the document, as stated at the end of the introduction.

Thanks for the comments!

Ciao,
-- 
Vittorio Bertola
Head of Policy & Innovation

Cell: 	+39 348 7015022
Direct Chat: 	vittorio.bertola https://chat.open-xchange.com/direct/vittorio.bertola
Email: 	vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com

Twitter: @openexchange http://twitter.com/openexchange - Facebook: OpenXchange https://www.facebook.com/OpenXchange - Web: www.open-xchange.com http://www.open-xchange.com
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin
Chairman of the Board: Richard Seibt

European Office:
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
Managing Director: Frank Hoberg

US Office:
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA

Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.