Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

Andrew Campling <andrew.campling@419.consulting> Sun, 11 October 2020 20:22 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1B33A0844 for <dns-privacy@ietfa.amsl.com>; Sun, 11 Oct 2020 13:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsrCp6_4p70d for <dns-privacy@ietfa.amsl.com>; Sun, 11 Oct 2020 13:22:40 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100087.outbound.protection.outlook.com [40.107.10.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 427673A083F for <dns-privacy@ietf.org>; Sun, 11 Oct 2020 13:22:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cxwzNfzoScPOJhikG/8LJ9zUv0wS6aPRMIfokifq86WtdMinifiI7tjS/TEOC+T3TTWKR6W5RwLcTSy+yULfn51ZLtHIJqX5oKzauCGjlK8lop2H06QUgLt/NebV2DpU1HZa0KDQmaGxkHWE8k8CtXDqGH4YSYhzXlo5Mgz4tXUz3J0kWg8pC26jUv3I0PHlTJ4PEyRhzd80sdQTLY3fKe/MYbNriJDPevqK1GVdkGqCgXp226/ytLZDv1enkhLntoxqSzqxaulvbZJJk4YrVy1YPdBkGd6ylcl8MthDiNfe9jG6AkfHntwEHB7gVPt9m5k4VE4rmLOAPKydNhnzxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2drmWzSyBhhYgVscnvj1dSj4gB9BZygQ/x+4hZ3Tnqw=; b=gKH80bZn0Afegw3VgzuDC/j+Qu54zZJiBgfoeMA+4idI/+lrffjBCV3TzY+6uUixy5+f9kMT72hTO0ig8QOOzCbuTHPO4W9q61MQ7R2ksp04mxp1RvrNGNJpRU81fmbI2CJcmm/dg5zshKJJn/tI7OZ21iaP3BEDlUS2U5X6H1FpuCf/XWb/DWkWH45OUPOGHUOKR/LSZh6hXFLEl2QGKsET2COMYJOFOnbW0oTKMc9xG5YZKMQiFyRoqD6KJt6YzZ4iJM4mr6wRdWPjGiHzkv587B1whxDxxiJDzyad9TY2B7c15/x4sXXBkjqbOHmcwe8YcpUr7PHzDtOny7ZCFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2drmWzSyBhhYgVscnvj1dSj4gB9BZygQ/x+4hZ3Tnqw=; b=dahAJMAPdGLkR4Mnr64ynrvCo7H5igX/1O5yZhvk+5GGr1NHTO1A8s1qtqptyK7YRRgRUTNh2vDqiPancFwfn3DkdkOIWC0II7Lx1ES3SYPxToHbgteXpOhq9YrzKtzgZU2Gs1D7pFGzdPyqdNLmgaZouHmk0dLnrxfc5ZJS3Bo=
Received: from LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:71::15) by LNXP265MB0185.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:1c::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.23; Sun, 11 Oct 2020 20:22:37 +0000
Received: from LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM ([fe80::199b:a430:6264:9bf6]) by LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM ([fe80::199b:a430:6264:9bf6%7]) with mapi id 15.20.3455.029; Sun, 11 Oct 2020 20:22:37 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Christian Huitema <huitema@huitema.net>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: Eric Orth <ericorth@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, James <james.ietf@gmail.com>, "Vinny Parla (vparla)" <vparla=40cisco.com@dmarc.ietf.org>
Thread-Topic: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
Thread-Index: AdabLJ2GPjqR+/akTMiZMRHmFMQKNKmNX+pg1ndRtwCAAA0sgP/+87+wgAMMbACAADEOAP/9M7lA
Date: Sun, 11 Oct 2020 20:22:37 +0000
Message-ID: <LO2P265MB05735A3BC771C6E340E91F55C2060@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM>
References: <MN2PR11MB47604813E0DC2DDA0E297A36D80C0@MN2PR11MB4760.namprd11.prod.outlook.com> <CAO+dDxn1J2bOz1b8iPKbUnYLTFhSLJRhx9Od5hAHpP3TSkp7yQ@mail.gmail.com> <C276A52C-DCBA-4920-95E1-FAF2D3881D0B@apple.com> <MN2PR11MB476044BA6BD5D47C8088D434D80A0@MN2PR11MB4760.namprd11.prod.outlook.com> <LO2P265MB0573F65FD0DC18B528FD3282C20B0@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <MN2PR11MB47604811528E52E2ED48E41AD80B0@MN2PR11MB4760.namprd11.prod.outlook.com> <CAMOjQcEnhjh_VzQeTFRk6mAF9c8P_i9NMO8S3oMZBv4f81RHew@mail.gmail.com> <CWXP265MB056674BB1E637A04AE2E8860C2080@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <4F75DF4C-63D7-4101-A5C5-4057B34EAB23@apple.com> <e920622d-3f22-3e36-d11c-32a122d15fb3@huitema.net>
In-Reply-To: <e920622d-3f22-3e36-d11c-32a122d15fb3@huitema.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huitema.net; dkim=none (message not signed) header.d=none; huitema.net; dmarc=none action=none header.from=419.consulting;
x-originating-ip: [81.141.77.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 993502f9-7395-4f7c-473d-08d86e23657b
x-ms-traffictypediagnostic: LNXP265MB0185:
x-microsoft-antispam-prvs: <LNXP265MB0185CFC1A6D18E981A028152C2060@LNXP265MB0185.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qzgo1EtkHEDup1jE3nF5EPS8kH+QXrvadNoVoZnIpiccouFL2Ybv2067FGLLNt7Rcs8ZQVK+/uxQMb3e39s4s47+I37MZIo7/CRg5h8Df/wSulAcYG3PqIW6AmwdR1Uipes9PSbiDjBuv87e/dSa9UQTVz2vO7Ed4vXdrmqd/5T2FHVzAMhOlWbWLwDjEyoB2BxbsK5cBsySGLKcRWwnkleGx8Oe/BMI+wfaNfj9BI/fNjYX4U+CbaYx+2ck9ayUsKGkCIcDqfREP1z9wKtSONdcBuuh+M8T1zHG3EUQFsCcKY8jYnEuQGC64eY7x/fbW+sWMzUFbghtRCHkz6Xq0eINGfnwNdt4mTNjaU9wwz3vbDmrL4BAmvJnjPsLJqI5dy150nGdABTndhrE4tzs/5iDN761F8ApoCcqz4yZ6CdThsaOnS/13LlhGgDWfhejHsExV1Pt7/06xlzWK+n0Cg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39830400003)(396003)(366004)(346002)(136003)(376002)(166002)(83080400001)(508600001)(8936002)(86362001)(186003)(4326008)(64756008)(76116006)(66446008)(66556008)(52536014)(8676002)(5660300002)(6506007)(71200400001)(33656002)(66946007)(66476007)(44832011)(9686003)(2906002)(26005)(55016002)(7696005)(316002)(53546011)(110136005)(83380400001)(54906003)(46492008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: VUVq3r4Jaj9xbaoDTYDuvG78WPD2mBHiN/uh14KrjaFqdutnmX8KU4DX3quYDez3QGDwTLbFrdScCP/bZpmJg7PGGPWovZcH6701iAxVDbYFqf1phk7dLKM5RSofwLoGoRDYXZf6OQneXZbt0TZF97Y0cpYvFp0rkaRRAPJPuoqYlV/t4G24KiC+kgGLRN3zIxMiB1KyH1HO0IbTY65Fc1+ah3d6usbB2HyAn9MjoKplZuVR1/nqgXVb4pFtr1wBKMHhA3Q8OnDey4DJNAexB/2dlX5D3wLg75FhWUGJi5MZ/5Z8waS5UQeknsb6GUBctOzik9za/z6qy8ov1Ag1IkijJ8sasXJC0YggnwrdVBHF2jZmrjFVwfiEsK0txUEhqknLjd+pupNoC3Gi7uob/8OLsp0oI7U6ZYAam/7qwr9+MKSNkaH+gZAKv+1hguT39aA1DA4lvefWucFSocFGMJI7rLOv0jFVRpeOjusw1cG9mkKisXylVQq7LWXyAYSgyzwewRt0A+eXyC2TbvucMwdSz2JjdQhSSWLKffFKAVuxZrRYp4UAjVejD+v+XtCTWEx/tvlnhPsim3hkAhOd4TutECJkWbEYSbG73psOPIvTI+MG7YT3pFzFoyLL1K+xqPMNMbsIEVyZjEz3LnFzHg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P265MB05735A3BC771C6E340E91F55C2060LO2P265MB0573GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 993502f9-7395-4f7c-473d-08d86e23657b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2020 20:22:37.7524 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x15d0mJmSrgWIvnC/3Y8BqT3ZT6PypmdxYFetoC+NNpKwg4eJ6OTfmUVzc9EcPJQ6D5NxKt0H8Pkdwi/LrAib26i3GamLp9yyqzYSrxSqAE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP265MB0185
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/dewb1HKlJ7bt-ENZyM543xI4MNo>
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2020 20:22:42 -0000

On 10/10/2020 2:28 AM, Christian Huitema wrote:

On 10/9/2020 3:32 PM, Tommy Pauly wrote:
Hi Andrew,

At least the cookie aspect of this isn’t just a “best practice” of one implementer, but something indeed built into the protocol spec (https://tools.ietf.org/html/rfc8484):


   Determining whether or not a DoH implementation requires HTTP cookie

   [RFC6265<https://tools.ietf.org/html/rfc6265>] support is particularly important because HTTP cookies are

   the primary state tracking mechanism in HTTP.  HTTP cookies SHOULD

   NOT be accepted by DOH clients unless they are explicitly required by

   a use case.

I think it is incorrect to characterize that DoH has a flawed design by basing itself on a protocol that allows cookies, or allows multiplexing. These are certainly tools provided by HTTP, but it is up to use them or not as appropriate. “Bad” implementations can put information in just about any protocol that could be used for tracking users.

I am not sure about that. These days, if a protocol design allow it to be used for surveillance, you can be pretty sure that it will be.

That’s my concern too.  If the capability exists then it will be used, the opportunity for monetisation (and other negative outcomes) is too great.

Maybe DoH should add a requirement for servers to reject requests on multiplexed connections, or reject requests that come with cookies attached. That would provide a strong incentive for clients to do the right thing.

My European DNS Resolver Policy for resolver operators includes the following: “[operators of DNS resolver services] SHOULD NOT use or require HTTP cookies when communicating with DNS clients that use HTTP-based DNS transports for resolution”.



Andrew