Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Matthew Pounsett <matt@conundrum.com> Wed, 20 March 2019 20:33 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF07313122F for <dnsop@ietfa.amsl.com>; Wed, 20 Mar 2019 13:33:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pROCAB9iTSP5 for <dnsop@ietfa.amsl.com>; Wed, 20 Mar 2019 13:33:30 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3549C1311AA for <dnsop@ietf.org>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id w15so996300itc.0 for <dnsop@ietf.org>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=rpHJ3HdIAOkhJl8jGXm2fGxhptR+Lc41iolDPjgbRX7+BePqIZqfsje8VWUqYrm+eh l3wTNL5s0XsR2txf9GvT6/yeLRXriGlXO62K0O2EAEyiDGHMmrfqLRCmyjs5SoatA0Ml 4+5rg+MqztY+XYoPFjUJ9J5RrlSQaiYfxaXsumJjdolGmYoXPMFP71IX5cV2SvPSePVn mYO0kdTODRDGagNHymTZS/lW+mWJ81egrV+tsIEYMHwNPSus1HW8TB1wbfMWsrORoJvD F5L3KTzjV4NDD5TXOvoNBTPiH+C5ePrShgzG4YklbHhgx1lOfXxzIQKDsaR5vF20VTLY 7msg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=Db2mnzrBA0CBZmcj/7jb/OSbFHqy/e5DlEmVACiH+VQ6dSwq5QInrjW3oOFo1jbpCK trVzl9HcB8k8QFTUlUR35l4AVHMThENkuNkTJPoJIu/AcY4jtKFUSd+oo2vzOocM4ery 8wwK3QyvmFgda6uNdudHS2rs6cHBtCC/I+IvB1x4QpRXFct9g/z6uDrzSiz9Uty8I+46 igDmE5/8fe8oLpmUrBo5wohul6t5hm0HYO43BIrqv+jrJsCIDjTR5maFTvcLDQPvZIEE /srQcKqtTUYPbAt4/hqqVo1fREtZCCVPIxJ5WqWCL9kVv/jlPn/NgHLvnyV+aMUvmOQu 6hlQ==
X-Gm-Message-State: APjAAAVs4yeJC2Ej2e5LXdB7ck5y73xZf0xXlYDFxKPn+AGQCH/v7YrD zR8BObDFRBeD2dc2lYnPrYn/612lvyKphSDFPRVYLQ==
X-Google-Smtp-Source: APXvYqzgtEsAze//lP7/YTKlxWymX30DNh1m9cDEAjSuxqJm3P6szNGbcgFQ7kIksSi8OgsIOTxZIAs+jslc8XAnM7w=
X-Received: by 2002:a24:ba1a:: with SMTP id p26mr203317itf.150.1553114008201; Wed, 20 Mar 2019 13:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca>
In-Reply-To: <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca>
From: Matthew Pounsett <matt@conundrum.com>
Date: Wed, 20 Mar 2019 16:33:17 -0400
Message-ID: <CAAiTEH8m=Yao-7HQ=vZCWhT2J=oFypv-r=V_6fn+=7bXoBxtQA@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Jared Mauch <jared@puck.nether.net>, Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>, dnsop <dnsop@ietf.org>, paul vixie <paul@redbarn.org>, Michael Sinatra <michael@brokendns.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000c16a3805848c8898"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MFG6mpC54HW2t7nlfrvJdkZdCrI>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 20:33:37 -0000

On Wed, 20 Mar 2019 at 07:38, Joe Abley <jabley@hopcount.ca> wrote:

> [There is actually a proposal at the bottom of this e-mail. Bear with me.]
>

And it's a good proposal!


>
> Standardise this privacy mechanism, and specify (with reasoning) that it
> should be implemented such that the existence of the channel (but not the
> content) can be identified as distinct from other traffic by third parties.
> Maybe specify use of a different port number, as was done with DoT.
>

I think this would alleviate most people's concerns... certainly it deals
wth mine.  I have difficulty believing it is acceptable to pro-DoH
community though, considering the first of the two use-cases defined in the
Introduction of RFC8484: "... preventing on-path devices from interfering
with DNS operations..."

I eagerly welcome the -bis document that removes this statement, and
defines a new port number which DoH traffic SHOULD use.

Those who choose to ignore that direction and create a covert channel using
> port 443 instead will do so. Nothing much we can do to stop that today (I
> guarantee it is already happening). The future is not really different.
>

Indeed.  If everyone above-board is using port 5443 (to pull a number out
of the air) for their DoH traffic, the below-board usage should be about as
visible as any such usage is today.

Of course when people shift the focus of the conversation from DoH in
> general to resolverless DNS, and want to interleave DNS messages with HTML
> and cat GIFs over the same HTTPS bundles, the pitchforks will need to come
> out again. So keep them handy.
>

I don't actually own a pitchfork, but I'll keep my Woodsman's Pal sharp. :)

>
>