Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 25 March 2019 05:35 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77AB12034E; Sun, 24 Mar 2019 22:35:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7cuvrgnDgQE; Sun, 24 Mar 2019 22:35:23 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBD93120350; Sun, 24 Mar 2019 22:35:22 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id t124so7553868wma.4; Sun, 24 Mar 2019 22:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BUPIEXg+5nhj+QIMj9BzVZeVkYeefumojbWAvs03ru8=; b=ZTrk+rnbjwU+n7Un+7+CfaF+kwaFuy/T/jrgEuiVKH6bg/vsZmwxfu75zE89atKh9c 7DYA8ehgwva4Nzkn/qlsHi5ljDjDy87uXrIi6WNfu2InX4mH164Bsci1kaJSdPLk0j4D ifD7waH7f4IN2taKzhN/K6KIF8FBFlwA3TW24PXzk4O3MYddIS8B/daxvgeNpVzSGP+S Q8hx25ACR8NOySSa/57zPE4TJK6UI33OdMn5ptUM4MbTJTjLRBhXvW+Zky9L5zEdjBpz giC9EJHiezjxoY4vgoeeD8lm6LGwkAZTEDkPYsjpIAraPkBw7F7DxKZXg6ajvkGXLYxK zGCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BUPIEXg+5nhj+QIMj9BzVZeVkYeefumojbWAvs03ru8=; b=ssP08ysfa1QjVmwDX6OC8iowvAbZ+fLbf8WI9VSn2BSiHT6oZL34wQ7Ac+ZJG0SZR5 4iD6zYC+LSQZGlZOVesW04XgvQQzbdEYtBDq3f5YU6EoaTDls9WOGwKrEoQkkskyUub9 0MuxQGlAbXKS/3D3URlSu58+Ua0UsZD4qMZ/OtvCp5gQ16Wb5rOjY8uxU1q+UxctvdHg F2WwvmisIjatELYhY6nGeiBgdOeWbKFq21u+nO666yW6v/ADlR1+ZdCgpCY5/pmYx//A n+HvmFU+QtKXhnBvSmqxRlB8TPPdgJLCjkwp46AGXP/2NEsPe2is4Xe1NOHd+TmkLK5Z 4tvA==
X-Gm-Message-State: APjAAAWvnLPC6IEz7EhLnzMOmTDfke8k8jC3ZzlUt633+ZvOIAGl8h9a KF6mPECsTrZlDrUsuUu42SpNmpbDU/k26Q==
X-Google-Smtp-Source: APXvYqxIQLrGtf1rHG30MkgvSuTf9vtM5UT0QmRuC4qkZLoLqwi5HBW53UFM1I4BVh2TbLEz7SHf7w==
X-Received: by 2002:a1c:f011:: with SMTP id a17mr3992745wmb.89.1553492121133; Sun, 24 Mar 2019 22:35:21 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:9903:4fff:804d:3681? ([2001:67c:1232:144:9903:4fff:804d:3681]) by smtp.gmail.com with ESMTPSA id h7sm17655636wmb.41.2019.03.24.22.35.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Mar 2019 22:35:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-DB37894E-25C2-44A5-A851-862DA1FFC661"
Mime-Version: 1.0 (1.0)
From: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com>
Date: Mon, 25 Mar 2019 06:35:19 +0100
Cc: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>, "doh@ietf.org" <doh@ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <E7E54A3B-4C85-4B64-BEFD-51891534DC9D@gmail.com>
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JacQRu6bzHfc4WBPJcrReZn1nU0>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 05:35:26 -0000


Sent from my iPhone

> On Mar 24, 2019, at 10:42 PM, Patrick McManus <mcmanus@ducksong.com> wrote:
> 
> 
>> On Sun, Mar 24, 2019 at 10:31 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>> 
>> This is important for network operators in identifying encrypted DNS traffic,
> 
> not all clients acknowledge a network's right to do such things at all times. And of course it would be useful to tell the difference between policy and a RST injection attack.
> 
> If the client does acknowledge the network has the right to set policy - then the policy can be set on the client using existing configuration mechanisms that allow the client to differentiate between authorized configuration and perhaps less-authorized folks identifying their DNS traffic. This is well worn ground in the HTTP space.

What I find interesting, is that as far as I can tell, everything you wrote applies equally to DoH and DoT, if the transport is the only difference. E.g. Same client browser, same DNS service, accessed via DoH or DoT.

Are you suggesting (or claiming) otherwise, and if so, please elaborate?

Brian