Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Puneet Sood <puneets@google.com> Fri, 22 March 2019 22:09 UTC

Return-Path: <puneets@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2134512762F for <dnsop@ietfa.amsl.com>; Fri, 22 Mar 2019 15:09:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpQ7qdvx-h4y for <dnsop@ietfa.amsl.com>; Fri, 22 Mar 2019 15:08:59 -0700 (PDT)
Received: from mail-yw1-xc2b.google.com (mail-yw1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDCBA131530 for <dnsop@ietf.org>; Fri, 22 Mar 2019 15:08:58 -0700 (PDT)
Received: by mail-yw1-xc2b.google.com with SMTP id l5so2814476ywa.0 for <dnsop@ietf.org>; Fri, 22 Mar 2019 15:08:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BBgHaxCTxjfEZlRuABV6w65bb+fKt31xyTSKufVCrxw=; b=km/ixRhGOL49p98O/a/CbS/ITaHMkPK63YNJjLz0fceQd7Or9rPJvvi3SZYkZPwM5I yJm5yX3YEWHBWmJRhYCPEYphhWYU7T7sXqElxLEn0+Ckqo2Bv6FNDaxIZ38xSSpDg96I vXNj/uy0+7zJLTZPP6cHWOfC7HZeVb5jvq/NHAuFWw45/ANk0RsLewXBPE/AC8feVODK J1DT9DB5Ckw51Qq6lyCED9Jy5BA0Iv2BvHfJWHC6PByJSPOSK4lnu3WemfRWRrxC+Es2 wP7g6HLE0/SH5Wft8xm50QouWBv2KvCmlFnh8X8rH71sgDmmYNu4STINkO/x8PSU7iAH W3pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BBgHaxCTxjfEZlRuABV6w65bb+fKt31xyTSKufVCrxw=; b=mqdfF29+RbsD40TtwCBWDHpTRWBDewWc8J+LYV2GXxfLyKbwxhQv4vTZPBvfsAvLHE e/SXK84hzpLye9UNlHWeZew0VNg1d7n7SfZtvHA2uZs1ASelWh7lk17FxQnsfXxB7kS3 RrznRJOg+3Xs2CY88hSnNOWkF7i47s9w/a8Q/myPPHc/89TI/RUzZ7qN7oyZ9QwCi/M3 qk6hDYoUbRXC/T+fwvVg5lrEyMZMOo81lfGKpb9u9z3h+QuZNWTYpRrMgy0JwsD9ZneB 09y2tpn0MkSDr8zcntQz/awCnDSUBRKYwOBAjAnWd5a38IovAgZeDFUKuuSIHUzkWcOw xo7A==
X-Gm-Message-State: APjAAAXcYFym+UeVgffbryUfYhLkSJqCbDe/ww38KgwX7P911vMEmxta m2h9BE1Ume6OpdKTeISHyWQkhT7A3ZkW+POmv9Gv+w==
X-Google-Smtp-Source: APXvYqwIsYedSOJlGUjHj9Toj+ACruI6tzGv4kQwtZ08KBVJN60VNvxenKxiBCDS1dPs0sHjWxg6isI9ZtgbhWAzv+M=
X-Received: by 2002:a25:4643:: with SMTP id t64mr10435697yba.462.1553292537751; Fri, 22 Mar 2019 15:08:57 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca> <CAJE_bqfEoy4Lbei27XNTbRSF9XHoAQ1gYPNerTXg9y6swp1a0w@mail.gmail.com>
In-Reply-To: <CAJE_bqfEoy4Lbei27XNTbRSF9XHoAQ1gYPNerTXg9y6swp1a0w@mail.gmail.com>
From: Puneet Sood <puneets@google.com>
Date: Fri, 22 Mar 2019 18:08:45 -0400
Message-ID: <CA+9_gVujw0MfF3Q3A6tGbL6QDjLLyt=8-Wd3vgbhBs9razs_bw@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Cc: Joe Abley <jabley@hopcount.ca>, Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>, Jared Mauch <jared@puck.nether.net>, dnsop <dnsop@ietf.org>, paul vixie <paul@redbarn.org>, Michael Sinatra <michael@brokendns.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GE8v2Yz6zsl28clDvlshGh3rYlc>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 22:09:02 -0000

Hello,

There has been much discussion in the IETF lists over the impact of
using DNS-over-HTTPS (DoH) in a network. We would like to clarify the
Google Public DNS position on this topic. The post I am replying to is
particularly relevant since it makes some assumptions about the plans
of the Google Public DNS service.

For future support of a RFC 8484 compliant service, we plan to do the following:
* Serve RFC 8484 compliant DoH from the well known Google Public DNS
anycast IP addresses (e.g. 8.8.8.8) on the standard HTTPS port 443.
* Migrate our existing DoH services to the well known Google Public
DNS anycast IP addresses, including the beta version (at
https://dns.google.com/resolve) and IETF draft version (at
https://dns.google.com/experimental).

The Google Public DNS anycast IP addresses are distinct from the IP
addresses used to host web content for Google properties. This will
allow operators to control access to the Google Public DNS DoH service
on their networks without impeding access to other Google services.

For DoH implementers we want to ensure the same access to our
implementation whether it is a Google product (like the Chrome
browser) or a third-party product. To this end we aim to track IETF
work on standardized ways to detect DoH support by the system-selected
DNS resolver service (like
https://tools.ietf.org/html/draft-ietf-doh-resolver-associated-doh-02
or https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-01).

As a core principle, Google Public DNS aims to provide a DNS resolver
that respects our users’ privacy. Towards that goal, we aim to provide
high quality implementations of various DNS transport mechanisms that
our users can use to reach the service. This includes the traditional
UDP and TCP transports as well as DNS-over-TLS and DNS-over-HTTPS that
provide privacy for the user’s communication with a DNS resolver.

-Puneet Sood
TL/Manager for the Google Public DNS team.

PS: I am attending IETF 104 and will be available for face-to-face discussion.

On Wed, Mar 20, 2019 at 2:40 PM 神明達哉 <jinmei@wide.ad.jp> wrote:
>
> At Wed, 20 Mar 2019 12:38:05 +0100,
> Joe Abley <jabley@hopcount.ca> wrote:
>
> > > Often as an industry we may discuss various solutions that are great for oneself but don’t scale when looking at the big picture.
> >
> > I think what we are seeing is the fundamental tension between privacy and control. You need to give up some privacy in order to make the control possible; you need to give up some control in order to afford privacy.
>
> > Some in this thread want certainty that they are able to exercise control, e.g. for devices in their network.
>
> > Some in this thread want certainty that they can obtain privacy, e.g. for for their device in any network.
>
> [...]
>
> Thank you for the nice, concise summary.  I think it's well-balanced
> observation of where we are.  (I'm so glad I can finally see a
> constructive post after seeing a common pattern of boring IETF
> discussion, where people with different opinions just keep stating
> their views without making any real progress:).
>
> > Seems to me that there's a middle ground within sight here.
> >
> > Standardise this privacy mechanism, and specify (with reasoning) that it should be implemented such that the existence of the channel (but not the content) can be identified as distinct from other traffic by third parties. Maybe specify use of a different port number, as was done with DoT.
>
> I see that those who want to exercise control can live with this (or
> at least using a different set of IP addresses for DoH servers than
> those for other ordinary web services).  But I'm not so sure if that's
> acceptable for the other group..  In that sense I'm curious whether
> some big possible DoH providers are now willing to accept this middle
> ground.  If my memory is correct the longer term plan at Google (and
> maybe also Clouldflare?) is to provide DoH service on the same IP
> addresses as those for other ordinary and popular web services (and on
> port 443, of course), so that an intermediate operator cannot easily
> block access to their DoH services.
>
> > Those who choose to ignore that direction and create a covert channel using port 443 instead will do so. Nothing much we can do to stop that today (I guarantee it is already happening). The future is not really different.
>
> True.  But I think giant providers tend to respect a community
> consensus.  Niche or really malicious players may/will still ignore
> it, but it would be very difficult for them to collocate their DoH
> services with other important web services that can hardly be blocked,
> so it shouldn't be a big problem for "those who want certainty of
> control".  So if we can really agree on the above "middle ground" and
> publish a BCP or something that describes the consensus, I guess we
> can now really work on technical issues.  But I'm not sure if we can
> reach that consensus.
>
> --
> JINMEI, Tatuya
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh