Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Patrick McManus <mcmanus@ducksong.com> Sun, 24 March 2019 21:05 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96F43120111 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 14:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=i3FRKsTu; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=XkbbF0OY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpIT1Pc8DLp3 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 14:05:22 -0700 (PDT)
Received: from outbound1g.eu.mailhop.org (outbound1g.eu.mailhop.org [52.28.6.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4E68120106 for <dnsop@ietf.org>; Sun, 24 Mar 2019 14:05:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553461458; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=FZYU0HxtG+PezVpsvCbftZVdtsX/7KKyXHH3xGQVg96GFSNRnubGZcodLhYbnZq8uZNW8K/bR4UD4 7WNvOAq3SZ96qhNx4AwDFskGeDK+ktgpbof2gD8+zoAVB2b2hKUyoMJFWP2+VV2Mhiv5grzBESt/7/ 2QEOGcTKtLKaGbsTD92YBGGHZk2jxfHlKbkCsQApySn2QYr3vAWbYAJq5XA36uz7zSW5mQCQKhOUCi XW8abFl9Q5QAWapEHxbnHUoLmtTuKim5M23MDMv/azeYtFPAibYiqIjmTivA/TIgDSojEiPT6GzaCA dLII7v6kw0PK4gR7mS46iRxSdPUYfRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=GJkxZG/5c/CsckdelSQ9oM3bPr/dd/Gr4X3/Gky+GfAcPS+7KnSxmwVZMVSi/Sg2cqMix/V7eZrdL XJ8QuknOP+imRGQSn+zbYaB/lBlEo3RtXcz0z3dAFzm1I/xQKaUnxFaJdFDFZioojWaRbPCgC6rQyU 6hPiODfPbmGmRRV6pcrhM6B7mRXVHC3to+MaqHCrTrf8STkFsXh8PWPLN6mk9ITx4OJ5+8PSOXTWXQ a7mHVJ1A4RO5lB4v71trFfEhgFWC4wM0ZcZIeCVYc5L/LyJjzrEfDvmDwX3tgkT6mGPEsePu9ae/c3 0kxNWqFTVv+PAi/eEBKGzCrAetqcXYA==
ARC-Authentication-Results: i=1; outbound3.eu.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.173; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=i3FRKsTuF/NZddtbqUDN2jQtSiu6wQZ4pBQr0yy9WEDUzSGJKHrRu0IGcGeCmxbxmuehmSXqX0mRf lshxw4/3kU89obg5DjhI1duQouRpr8dk0eIKQiymE1L2LRlxZuZ8bVqxXEXc/z+MiC7DQ4RGU9Zk8z NMtJ2ATkEi4odXMA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=XkbbF0OYQJG1sAybniLPoaBzr+O6BA6WhTYKCad3+cQvvcTYP3R/qQw+QckbGz82NqoctW/LevnBP bDLYAw7Eb72GgCUBolgJzmL6YopJDEfjPU6Dn4vJ9XIrNrmDMy2DGV8Qj9VhYU5JE2RuVMk4vYjeFK ZkGPP4PYXhNdcOwSDJxVZCn/1qLvKkgA52Qo876wc6C3HyyVe554EQ+iBeF28FPmDors+FCyC9peeO fj7a0pLPzAJHoNG55zBidPHx3RRh1z6FytXFHQwf1cLLbvAyd5k1zFPDJLGVTMvmp8SNGXUcm5GIU+ 1qoZSZVXYjm0tjdkkQ0fUhQoNBND6gg==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 62007c33-4e78-11e9-908b-352056dbf2de
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.173
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f173.google.com (unknown [209.85.167.173]) by outbound3.eu.mailhop.org (Halon) with ESMTPSA id 62007c33-4e78-11e9-908b-352056dbf2de; Sun, 24 Mar 2019 21:04:16 +0000 (UTC)
Received: by mail-oi1-f173.google.com with SMTP id t206so5434814oib.3; Sun, 24 Mar 2019 14:04:16 -0700 (PDT)
X-Gm-Message-State: APjAAAXLve2G2PxPCFoebBhseFZfsyaOh0e+ZsJAzpwcnqj+03IIH71f T1fAOivtC+6SFWjliQwBYSkqHcZ/aQXXJycNJdM=
X-Google-Smtp-Source: APXvYqy8x7aKxA2VK/QNAV4XdhOFRkMKY0Z6SpVgYJ7mle8tt01S7e6tiQ/EiZRsnCzp8L7crtvDsWMNwovQK7OmaPo=
X-Received: by 2002:aca:4142:: with SMTP id o63mr9573899oia.58.1553461455595; Sun, 24 Mar 2019 14:04:15 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com>
In-Reply-To: <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sun, 24 Mar 2019 22:04:04 +0100
X-Gmail-Original-Message-ID: <CAOdDvNoDK0X7uKxTrWuxFWPVvNKz1N58HwkBBQZYz+GNpnjodw@mail.gmail.com>
Message-ID: <CAOdDvNoDK0X7uKxTrWuxFWPVvNKz1N58HwkBBQZYz+GNpnjodw@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, "sthaug@nethelp.no" <sthaug@nethelp.no>, Eric Rescorla <ekr@rtfm.com>, "dnsop@ietf.org" <dnsop@ietf.org>, "doh@ietf.org" <doh@ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>
Content-Type: multipart/alternative; boundary="0000000000003baeca0584dd6ed2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IFpdRT_-PxlqR-nm-IAowel04I0>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 21:05:24 -0000

I want to add one thought to the general argument that goes along the lines
of "I need to enforce a policy on my network, and doh will just encourage
more https interception - we have gotten nowhere."

This argument assumes a scenario where the network is trusted by the
application and can require/achieve host or application configuration.
Indeed - deploying trust anchors to these clients is the only way you're
going to intercept https as the notion of network defined configuration of
"trusted proxies" and the like is consistently rejected by clients. That
seems like the right standard for DNS as well - go ahead and configure a
different policy but do it via an existing authenticated configuration
mechanism like you would use for adding a trust root.

However, rather than adding a root I would suggest that if you're doing
client configuration for network-local DNS policy, that you deploy a DoH
server that enforces that policy and point DoH clients at it through the
various enterprise config mechanisms. It doesn't require any kind of access
that adding a trust root does not. This has the desirable property that the
application can reliably know what server is providing DNS service in a
fully authenticated way. Perhaps in a "my way or the highway" scenario it
will choose the highway. That's fair enough - that should be a real
choice.  When you just intercept 8.8.8.8:53 an informed decision cannot be
made.

Use of non-default trust roots is also a property generally visible to
applications. Most allow it as a matter of user configuration.

-Patrick