Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Wes Hardaker <wjhns1@hardakers.net> Sat, 23 March 2019 04:04 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E24F131261 for <dnsop@ietfa.amsl.com>; Fri, 22 Mar 2019 21:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6z3kxx5n5_x for <dnsop@ietfa.amsl.com>; Fri, 22 Mar 2019 21:04:01 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B175612788D for <dnsop@ietf.org>; Fri, 22 Mar 2019 21:04:01 -0700 (PDT)
Received: from localhost (unknown [76.14.1.154]) by mail.hardakers.net (Postfix) with ESMTPA id 27F65259CE; Fri, 22 Mar 2019 21:03:56 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>
Cc: dnsop@ietf.org
References: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com>
Date: Fri, 22 Mar 2019 21:03:56 -0700
In-Reply-To: <CADWWn7UZj3oAfqpcpnAenGDpZHatrvQ=97OxAWX8c3881oevhA@mail.gmail.com> (Kenji Baheux's message of "Wed, 13 Mar 2019 11:33:14 +0900")
Message-ID: <ybl5zsaxmmr.fsf@wu.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KGPiZpW79JrXivpYEhTRm-5-mYQ>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 04:04:04 -0000

Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>; writes:

>   * We are considering a first milestone where Chrome would do an automatic
>     upgrade to DoH when a user’s existing resolver is capable of it.

Sorry for the delayed question, but with respect to this bullet:

1) Do you have evidence that DOH is faster than DOT, since speed was one
of your goals?

2) What other reasons are you considering when doing DOH instead of DOT
to protect privacy.  Specifically, you're preferring DOH but your stated
goals are "Stronger privacy and security." and "Hopefully, some
performance wins.", without providing rational for each of the potential
solutions.  DNS plain clearly doesn't meet the first, but likely does
the second.  But you fail to provide a goal that distinguishes why you'd
prefer DOT vs DOH to meet both these goals.

-- 
Wes Hardaker
USC/ISI