Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Kenji Baheux <kenjibaheux@google.com> Sun, 24 March 2019 05:43 UTC

Return-Path: <kenjibaheux@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9C4130E13 for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 22:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI4gGZCA6wF0 for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 22:43:45 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC52812F18C for <dnsop@ietf.org>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id f18so5094659lja.10 for <dnsop@ietf.org>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=hVUpoQGuyj6ZHritR5cRMQ5/mCsIyfOo+KDh9vrfL7lPmYOwOxDmbQXnIpez8I4bnZ ZBbuGXME6UpOmMl7tOwZL8KeQ6U4N3HLw5eg4bRC7Ioun1P1ORNNWZFD1ncSUAhSqiLX 3jbBk3YtE1uYULy7p1Of5+v2xGrYDDbAau/LGF43bhIS4sDbd+oDQuhG5ycWcD45AVO5 vgM1abBRcWb8316k4TAj0/+50wcKYoIy2OGytZ0AltbJWRLCvCHaEAftcB2JyZr6fNoG Xl949OTue1Ic7D4koqULPE84i4kFXgRHqK3feyRA+l1LEf88EmNkEeOV6UQR7TWSdd9O +Fkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=ivYlzfQ6QNZe2/GJXXonwCtP/ku5RiK6m6Uahv34OSPeUvjrwjnyT9LnMvdWygi7+x myLtGKEyH5ODUbGaK3QtRb497SF0jbuNa7RZ0e6NlLtqErOedhiD8uoPJ6BbaOWBU6p+ zJECUi9TW1npSBVO/Z6rh/fj5omLzWjn3e63p1sbdsX9WXejAvSEOA3gWVyCk0zg+YDT rGLXcbbrh8k3KjKCZt4Si/iPmnAwRFBbVyofs/rD9ABszH2vRgloNIyklHzwIAr/PV5I XGMYj8d/Lna3dHSAfnbbFuxrod/kYfruFifVmoGMZSQJUl9fWqu0Z5qG0teVqj+OXPEF PFKA==
X-Gm-Message-State: APjAAAUR/Z/+m4den5ih+KIdagWj08Y5KST6hEiS0gL9Qwv+6+n6gN+V kHZhIJTOuetMFumgTa9fzwz1wKsCafVJn0ECieY2zNzX
X-Google-Smtp-Source: APXvYqzcbr2rsJvjsgrhQx4JWh2P5w5T4Q2TNJRCkxXfcHugtvSJevPRjBw1B4dxhVtu7eSVc/et8sYKcJ9S3Slvops=
X-Received: by 2002:a2e:8089:: with SMTP id i9mr9288388ljg.137.1553406222704; Sat, 23 Mar 2019 22:43:42 -0700 (PDT)
MIME-Version: 1.0
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> <ybl5zsaxmmr.fsf@wu.hardakers.net>
In-Reply-To: <ybl5zsaxmmr.fsf@wu.hardakers.net>
From: Kenji Baheux <kenjibaheux@google.com>
Date: Sun, 24 Mar 2019 14:43:29 +0900
Message-ID: <CADWWn7WG4Gu6a0aiOeO74SV3iPr+Wn5FT-T-Ab=729c_vGdpUg@mail.gmail.com>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001910800584d0927a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8_oBXrlaEAeRUnzNjnMenR8x15c>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 05:43:47 -0000

On Sat, Mar 23, 2019, 13:04 Wes Hardaker <wjhns1@hardakers.net>; wrote:

> Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>; writes:
>
> >   * We are considering a first milestone where Chrome would do an
> automatic
> >     upgrade to DoH when a user’s existing resolver is capable of it.


> Sorry for the delayed question, but with respect to this bullet:
>




> 1) Do you have evidence that DOH is faster than DOT, since speed was one
> of your goals?
>

Speed isn't a primary goal, hence the use of "hopefully". Based on
Mozilla's early results [1], there is hope that the performance will be
improved at the high percentiles and remain neutral/acceptable otherwise.


[1]
https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/




> 2) What other reasons are you considering when doing DOH instead of DOT
> to protect privacy.


We are not considering DOT, just DOH.

I believe that there has been many discussions in the past that offered
reasons why a browser / ... would naturally prefer DoH over DoT.

I don't think I have anything to add that would sway the debate in way or
another. In fact, I think it's fair to say that the debate is unlikely to
come to an end anytime soon.

Instead, I imagine it would be more effective to focus on specific
scenarios: who are the actors, what do they want or accept/understand, is
the scenario reasonable to all parties involved, what can they do, etc.



Specifically, you're preferring DOH but your stated
> goals are "Stronger privacy and security." and "Hopefully, some
> performance wins.", without providing rational for each of the potential
> solutions.  DNS plain clearly doesn't meet the first, but likely does
> the second.  But you fail to provide a goal that distinguishes why you'd
> prefer DOT vs DOH to meet both these goals.
>
> --
> Wes Hardaker
> USC/ISI
>