Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Patrick McManus <mcmanus@ducksong.com> Sun, 24 March 2019 21:42 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 089FE120134 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 14:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=CDBG5INb; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=bjSU25bw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khsjJeN1-it9 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 14:42:24 -0700 (PDT)
Received: from outbound1f.eu.mailhop.org (outbound1f.eu.mailhop.org [52.28.59.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A031B120074 for <dnsop@ietf.org>; Sun, 24 Mar 2019 14:42:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553463742; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=LBFVLVYalc7mi/I3gPwG98Yi7pZyzjnShvsIUKvrl+2/8II9AR8O7j4ohwVK/D+skKPHT2HZ0v1+H ZRR9TRDK/lClCob3Bxqs6rw4yvt0iUgWbUqFr32C1WloIEIADzIZUeDvwLMmDM/jvz3bNeSTtR/2ei BkR74ij8YV3gWKzWFtvzjV9NAD6t8fxAtv90D2yhRw+QKbdgmrD8Mua6pmm3LcoJtc74cZjnRsYAPw yJY5LQJ41Qj0QUBv9+fEpkxA0IMXHr0MSvdAwgNy4tpjJiTAWswAkyJQ7CHdJHZv0Z+UVCKiTZrwku z5TXEslU4HBW8sM+eHsRWby9VPFfOiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=0BvISl7zrY7tPc9i36BRxkkYz5uDVSQYNcM83yf7QeU=; b=KfOSGHOPtQI/PzMUk7uHRy3tyXc1YfUMVbezlVIndOxR3oVSk2J9Iksd/sa+Krf/xQMD3YRl8BzHb p1U6CBrEfOx24WbOyozUTjaa54DHi9zsboGK+pdCFQGSBxXyGB7i+3MzXtCJDphDzpgOZqebypgV+F wRQO9IibVBuJpnHpJgKIQ6nDVziTCgFd20reKIpkyDZzlsXfiIRYrd0T6/myiZVEfNlw/4v1Rg48LG MOUQaF48fcUtbreNR0p+UI541K36vWNjszS7j6B4Hb6xvmEp4x2Muyin0EjxRyMjH0E2u6wUmVXdEx ijq9IyPrDdOVuXguWoU1zaYBKZAYRww==
ARC-Authentication-Results: i=1; outbound2.eu.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.175; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=0BvISl7zrY7tPc9i36BRxkkYz5uDVSQYNcM83yf7QeU=; b=CDBG5INbKW+ykNnvYWsPdOSnBfrY+YFxlwlB/Q19xzYgKNGJn4Bs0WqIdbMDnneUyhu1Vt+tO0tJ0 XmgGLgUzfkdVsmev9rOVwZWNTtAifz2NI5LR2roX5HDwhcnrXgvL7FPnGalsWoeK5iy8LJuCY9i+tk qJiYMDOjEILpkxe4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=0BvISl7zrY7tPc9i36BRxkkYz5uDVSQYNcM83yf7QeU=; b=bjSU25bwkeXhS0ecU+/rtHnEuz10rbnyPGD/W/XRnMiA+Ze/xubFiAHrYnya5j7vq0kChyJgC6XnH d5wu9v1h+09Xfw1GZ+O63qfCNR1Utfyr9YNjwy8cVKV5Hw1DDUfBtuZif8THfmC+RBcDgSkKCebXBm hqxeofv4naIILjGT6zsnzrchYbTTUCCdhVJkmm0mq+TZyEFgcH9WgJNgzZRsM6/cWoX0xMm7g8Ao0p OTYWzxfhzPzb9TEXwV2sNZHGqKnJoYCi1I/HFRZRvjubjvU/bITlBTp970d++GG9TUdf/RIgN4WTQu SrOV2A1hQPts6n9ckcseQb5DO4b2Z2Q==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: b290781d-4e7d-11e9-803b-31925da7267c
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.175
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f175.google.com (unknown [209.85.167.175]) by outbound2.eu.mailhop.org (Halon) with ESMTPSA id b290781d-4e7d-11e9-803b-31925da7267c; Sun, 24 Mar 2019 21:42:19 +0000 (UTC)
Received: by mail-oi1-f175.google.com with SMTP id v84so5481357oif.4; Sun, 24 Mar 2019 14:42:18 -0700 (PDT)
X-Gm-Message-State: APjAAAUEHHcrBYUTIxZhAk+k6YrEU2iGKDfpgaSZqcw79CcVz6Fup9Mv ZfmZZE3884ybD8oobSgJybdWn/VcjYWEBlTeQBg=
X-Google-Smtp-Source: APXvYqz5eZtYx6dxl1WFmS39VM/Apca3IHAGArcAd0KlGzHAGZOnh3jHrXT4gVXm5ONzbZX3yFS4Sg1RBjQw4XlFg+c=
X-Received: by 2002:aca:4142:: with SMTP id o63mr9654696oia.58.1553463738259; Sun, 24 Mar 2019 14:42:18 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com>
In-Reply-To: <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sun, 24 Mar 2019 22:42:07 +0100
X-Gmail-Original-Message-ID: <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com>
Message-ID: <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>, "doh@ietf.org" <doh@ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004a603a0584ddf652"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3hWS3gLTeC3G7gI3qFPa0VJPqOs>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 21:42:26 -0000

On Sun, Mar 24, 2019 at 10:31 PM Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

>
> This is important for network operators in identifying encrypted DNS
> traffic,
>

not all clients acknowledge a network's right to do such things at all
times. And of course it would be useful to tell the difference between
policy and a RST injection attack.

If the client does acknowledge the network has the right to set policy -
then the policy can be set on the client using existing configuration
mechanisms that allow the client to differentiate between authorized
configuration and perhaps less-authorized folks identifying their DNS
traffic. This is well worn ground in the HTTP space.




>