Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
nalini elkins <nalini.elkins@e-dco.com> Mon, 11 March 2019 04:29 UTC
Return-Path: <nalini.elkins@e-dco.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF1B130EE6 for <dnsop@ietfa.amsl.com>; Sun, 10 Mar 2019 21:29:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e-dco-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7SIWHy8G8Kt for <dnsop@ietfa.amsl.com>; Sun, 10 Mar 2019 21:29:21 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89634130EC5 for <dnsop@ietf.org>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id v16so2757907ljg.13 for <dnsop@ietf.org>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e-dco-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=fo3obhPTtW7eLhzPE4qOYCV0OTUrrQUdQohUd7cWC5yIXz9g72eDIknpXyI2hGcXXu u0l6221D9ckYvQOzc08SkuB6y4ib58aXUT1Nzey15wIx0qGdFrIMMZQFi0ZiwX1opYTS dcRIp0Ap7kpRgn0O0h8j0tB7COroYZsptn3Q16zOdlZQv/rg8/wSuvF0u16jsHF5biRF wqCBCio6KSupsJz0ykPm5YL6GHm4h5r+P68O92VWwfMq0cmzcSoa6+yeXZDgFe2f9HUE 2CQ9TofCyPWIg3bRizS9jCWSixdS4O4oP+3yQgRCA2BCrBy1Ema8y860a6O2jFWHseEU 76Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=Uhegb6RvcuWDEkaeEVdnY4eSj7tFN67rRqsgM4r7LVXHneEZeD62VSvta5gfQAoD68 NIs+YYsdTSwFNAkaFOZRbyqKe7qti/X9faVZK4V2EasuheF8TUpImS76l3tlElF8A+US hpnqWIIs5KbG5ZmfLULW0xjIFZq4MfVjcT5duArhcYKrAycc3gsIUVK07J5CKU+FR69Q UUoxQYdtviBM1Z4vpcdWlUJnIZwC3k/edMDVFbbYjagnRfVQqWcctljkYL/fWtQpycLZ Iax42ShHHWxMHtVNb+Ka+TOeCXwR9QUfPJDUVkfbiVqw2Fzi1PqMQ/Y0hLEMJnABpCqK 4OeQ==
X-Gm-Message-State: APjAAAWDYFm0VGEY/ntb6gIvfvAk2KlSb9oLdEaXtey33O20erdtKeXO lhrhpLPp7Jbd0Qo1n9oZi5FbKqXobq5uTKB6Xtq7Uw==
X-Google-Smtp-Source: APXvYqwj19cYpe++6C+vt6xW4ACzOFCJj8H3QoCLID0bwxXnyB9W9DLKAxWyMu7MoWKIe7KPasNTBXKCf8G3Yrxz+RQ=
X-Received: by 2002:a2e:7a03:: with SMTP id v3mr15426649ljc.22.1552278555537; Sun, 10 Mar 2019 21:29:15 -0700 (PDT)
MIME-Version: 1.0
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net>
In-Reply-To: <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net>
From: nalini elkins <nalini.elkins@e-dco.com>
Date: Mon, 11 Mar 2019 09:59:11 +0530
Message-ID: <CAPsNn2VGu-_jUxeKhfd2Yc1bdM=UxaKaO_gdNSV8GX99K1zcyA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: doh@ietf.org, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, dnsop@ietf.org, dns-privacy@ietf.org, "Ackermann, Michael" <mackermann@bcbsm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000e5456b0583ca03c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QjlMB1nz58FHspM3DZyKgGIyOjI>
Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 04:29:23 -0000
BTW, I am reading the draft Tiru et al just posted on DPRIVE about this issue to see if we have any comments. > 4) I am using my work laptop on the enterprise network, and using application-X This could be an internal application or on the Internet. Enterprises have connections to: - Internal LAN / WAN clients - "Cloud" (much as I dislike the term) applications - Business partners - The Internet Companies also (validly, in my opinion) wish to know if their employees are going to fantasyfootballgame.com while they are supposedly doing work and of course, other sites which people should not be going to during work time. If I am paying someone, I expect them to do work that I wish them to do. The cloud example gets quite a bit more complex with some architectures some companies are proposing where there will be a complicated topology on premises. Let me check with the enterprise who told me about this & I will see if I can post the diagram or an explanation of what is planned. This is a complex problem. Thank your for your thoughtful consideration of the issues. Please let me know if my explanation makes the requirements any clearer. Nalini On Mon, Mar 11, 2019 at 9:44 AM Christian Huitema <huitema@huitema.net> wrote: > > On 3/10/2019 8:25 PM, nalini elkins wrote: > > > Similarly, putting DNS in user space allows for immediate adoption > > of DNSSEC and privacy enhancements, even when the operating system or > > the local network does not support them > > > > At enterprises (banks, insurance, etc) on their internal networks, > > people run their own DNS servers which may resolve for both internal > > and external sites. > > > > We were recently talking to a Fortune 50 company in the United States > > about what might happen you install a version of the browser which > > uses DNS-over-HTTPS automatically. (Clearly, this applies to any > > variant.) > > > > The questions that the Fortune 50 company architect asked were > > something like this: > > > > 1. You mean that DNS could be resolved outside my enterprise? > > > > 2. So whoever that is that resolves my DNS sees the pattern and > > frequency of what sites my company goes to? > > > > 3. How do I change this? > > > There are a bunch of conflicting requirements here, and it would be good > to tease out the contradictions. Consider the following cases: > > 1) I am using my phone, and using application-X. > > 2) I am at home, using application-X on my home computer. > > 3) I am using Wi-Fi in a hotel, and using application-X. > > 4) I am using my work laptop on the enterprise network, and using > application-X > > 5) I am using my work laptop in a hotel, and using application-X > > 6) I am using my work laptop on the network of a customer, and using > application-X. > > Today, plenty of people claim the right to control how I use the DNS: my > phone carrier, my ISP at home, the company that got the contract to > manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT > manager for the company that I am visiting. Out of those, there is just > one scenario for which the claim has some legitimacy: if the company > pays for my laptop and own the laptop, yes of course it has a legitimate > claim to control how I am using it. Otherwise, I, the user, get to > decide. If I like the application's setting better than the network's > default, then of course I expect those settings to stick. > > -- Christian Huitema > > > > -- Thanks, Nalini Elkins President Enterprise Data Center Operators www.e-dco.com
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Christian Huitema
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Paul Vixie
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Christian Huitema
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Paul Vixie
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Eliot Lear
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Daniel Stenberg
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Brian Dickson
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Eric Rescorla
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Stephen Farrell
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… nalini elkins
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Stephen Farrell
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Neil Cook
- Re: [DNSOP] [EXTERNAL] Re: [dns-privacy] [Doh] Ne… Winfield, Alister
- Re: [DNSOP] [EXTERNAL] [dns-privacy] [Doh] New: d… Eliot Lear
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [dns-privacy] [EXTERNAL] [Doh] New: d… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephane Bortzmeyer
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Stephane Bortzmeyer
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephane Bortzmeyer
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Stephane Bortzmeyer
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Neil Cook
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Eric Rescorla
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephane Bortzmeyer
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Jim Reid
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Ralf Weber
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Neil Cook
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Jim Reid
- Re: [DNSOP] [dns-privacy] [EXTERNAL] [Doh] New: d… Eliot Lear
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Yishai Beeri (yishaib)
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Michael Sinatra
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Yishai Beeri (yishaib)
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Brian Dickson
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Mark Andrews
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Paul Wouters
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Paul Wouters
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Raymond Burkholder
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Vittorio Bertola
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… nalini elkins
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Raymond Burkholder
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Vittorio Bertola
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Raymond Burkholder
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Vittorio Bertola
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Eliot Lear
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Konda, Tirumaleswar Reddy
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Brian Haberman
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Livingood, Jason
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Christian Huitema
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Brian Dickson
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Brian Dickson
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Michael Sinatra
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Stephen Farrell
- Re: [DNSOP] [Doh] [dns-privacy] New: draft-bertol… Adam Roach
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Michael Sinatra
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Ted Lemon
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Bob Harold
- Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertol… Paul Vixie
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… william manning
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Watson Ladd
- Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-… Paul Vixie