Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
Kenji Baheux <kenjibaheux@google.com> Sun, 24 March 2019 05:43 UTC
Return-Path: <kenjibaheux@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9C4130E13 for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 22:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI4gGZCA6wF0 for <dnsop@ietfa.amsl.com>; Sat, 23 Mar 2019 22:43:45 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC52812F18C for <dnsop@ietf.org>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id f18so5094659lja.10 for <dnsop@ietf.org>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=hVUpoQGuyj6ZHritR5cRMQ5/mCsIyfOo+KDh9vrfL7lPmYOwOxDmbQXnIpez8I4bnZ ZBbuGXME6UpOmMl7tOwZL8KeQ6U4N3HLw5eg4bRC7Ioun1P1ORNNWZFD1ncSUAhSqiLX 3jbBk3YtE1uYULy7p1Of5+v2xGrYDDbAau/LGF43bhIS4sDbd+oDQuhG5ycWcD45AVO5 vgM1abBRcWb8316k4TAj0/+50wcKYoIy2OGytZ0AltbJWRLCvCHaEAftcB2JyZr6fNoG Xl949OTue1Ic7D4koqULPE84i4kFXgRHqK3feyRA+l1LEf88EmNkEeOV6UQR7TWSdd9O +Fkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=ivYlzfQ6QNZe2/GJXXonwCtP/ku5RiK6m6Uahv34OSPeUvjrwjnyT9LnMvdWygi7+x myLtGKEyH5ODUbGaK3QtRb497SF0jbuNa7RZ0e6NlLtqErOedhiD8uoPJ6BbaOWBU6p+ zJECUi9TW1npSBVO/Z6rh/fj5omLzWjn3e63p1sbdsX9WXejAvSEOA3gWVyCk0zg+YDT rGLXcbbrh8k3KjKCZt4Si/iPmnAwRFBbVyofs/rD9ABszH2vRgloNIyklHzwIAr/PV5I XGMYj8d/Lna3dHSAfnbbFuxrod/kYfruFifVmoGMZSQJUl9fWqu0Z5qG0teVqj+OXPEF PFKA==
X-Gm-Message-State: APjAAAUR/Z/+m4den5ih+KIdagWj08Y5KST6hEiS0gL9Qwv+6+n6gN+V kHZhIJTOuetMFumgTa9fzwz1wKsCafVJn0ECieY2zNzX
X-Google-Smtp-Source: APXvYqzcbr2rsJvjsgrhQx4JWh2P5w5T4Q2TNJRCkxXfcHugtvSJevPRjBw1B4dxhVtu7eSVc/et8sYKcJ9S3Slvops=
X-Received: by 2002:a2e:8089:: with SMTP id i9mr9288388ljg.137.1553406222704; Sat, 23 Mar 2019 22:43:42 -0700 (PDT)
MIME-Version: 1.0
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> <ybl5zsaxmmr.fsf@wu.hardakers.net>
In-Reply-To: <ybl5zsaxmmr.fsf@wu.hardakers.net>
From: Kenji Baheux <kenjibaheux@google.com>
Date: Sun, 24 Mar 2019 14:43:29 +0900
Message-ID: <CADWWn7WG4Gu6a0aiOeO74SV3iPr+Wn5FT-T-Ab=729c_vGdpUg@mail.gmail.com>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001910800584d0927a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8_oBXrlaEAeRUnzNjnMenR8x15c>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 05:43:47 -0000
On Sat, Mar 23, 2019, 13:04 Wes Hardaker <wjhns1@hardakers.net> wrote: > Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org> writes: > > > * We are considering a first milestone where Chrome would do an > automatic > > upgrade to DoH when a user’s existing resolver is capable of it. > Sorry for the delayed question, but with respect to this bullet: > > 1) Do you have evidence that DOH is faster than DOT, since speed was one > of your goals? > Speed isn't a primary goal, hence the use of "hopefully". Based on Mozilla's early results [1], there is hope that the performance will be improved at the high percentiles and remain neutral/acceptable otherwise. [1] https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/ > 2) What other reasons are you considering when doing DOH instead of DOT > to protect privacy. We are not considering DOT, just DOH. I believe that there has been many discussions in the past that offered reasons why a browser / ... would naturally prefer DoH over DoT. I don't think I have anything to add that would sway the debate in way or another. In fact, I think it's fair to say that the debate is unlikely to come to an end anytime soon. Instead, I imagine it would be more effective to focus on specific scenarios: who are the actors, what do they want or accept/understand, is the scenario reasonable to all parties involved, what can they do, etc. Specifically, you're preferring DOH but your stated > goals are "Stronger privacy and security." and "Hopefully, some > performance wins.", without providing rational for each of the potential > solutions. DNS plain clearly doesn't meet the first, but likely does > the second. But you fail to provide a goal that distinguishes why you'd > prefer DOT vs DOH to meet both these goals. > > -- > Wes Hardaker > USC/ISI >
- Re: [DNSOP] Concerns around deployment of DNS ove… Kenji Baheux
- Re: [DNSOP] Concerns around deployment of DNS ove… Paul Vixie
- Re: [DNSOP] Concerns around deployment of DNS ove… Kenji Baheux
- Re: [DNSOP] Concerns around deployment of DNS ove… Erik Kline
- Re: [DNSOP] Concerns around deployment of DNS ove… nusenu
- Re: [DNSOP] Concerns around deployment of DNS ove… Paul Vixie
- Re: [DNSOP] Concerns around deployment of DNS ove… Paul Vixie
- Re: [DNSOP] Concerns around deployment of DNS ove… Erik Kline
- Re: [DNSOP] Concerns around deployment of DNS ove… Wes Hardaker
- Re: [DNSOP] Concerns around deployment of DNS ove… Paul Vixie
- Re: [DNSOP] Concerns around deployment of DNS ove… Olli Vanhoja
- Re: [DNSOP] Concerns around deployment of DNS ove… nusenu
- Re: [DNSOP] Concerns around deployment of DNS ove… Kenji Baheux
- Re: [DNSOP] Concerns around deployment of DNS ove… Brian Dickson
- Re: [DNSOP] Concerns around deployment of DNS ove… Tony Finch