Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

nalini elkins <> Mon, 11 March 2019 04:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7CF1B130EE6 for <>; Sun, 10 Mar 2019 21:29:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B7SIWHy8G8Kt for <>; Sun, 10 Mar 2019 21:29:21 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89634130EC5 for <>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
Received: by with SMTP id v16so2757907ljg.13 for <>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=fo3obhPTtW7eLhzPE4qOYCV0OTUrrQUdQohUd7cWC5yIXz9g72eDIknpXyI2hGcXXu u0l6221D9ckYvQOzc08SkuB6y4ib58aXUT1Nzey15wIx0qGdFrIMMZQFi0ZiwX1opYTS dcRIp0Ap7kpRgn0O0h8j0tB7COroYZsptn3Q16zOdlZQv/rg8/wSuvF0u16jsHF5biRF wqCBCio6KSupsJz0ykPm5YL6GHm4h5r+P68O92VWwfMq0cmzcSoa6+yeXZDgFe2f9HUE 2CQ9TofCyPWIg3bRizS9jCWSixdS4O4oP+3yQgRCA2BCrBy1Ema8y860a6O2jFWHseEU 76Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=Uhegb6RvcuWDEkaeEVdnY4eSj7tFN67rRqsgM4r7LVXHneEZeD62VSvta5gfQAoD68 NIs+YYsdTSwFNAkaFOZRbyqKe7qti/X9faVZK4V2EasuheF8TUpImS76l3tlElF8A+US hpnqWIIs5KbG5ZmfLULW0xjIFZq4MfVjcT5duArhcYKrAycc3gsIUVK07J5CKU+FR69Q UUoxQYdtviBM1Z4vpcdWlUJnIZwC3k/edMDVFbbYjagnRfVQqWcctljkYL/fWtQpycLZ Iax42ShHHWxMHtVNb+Ka+TOeCXwR9QUfPJDUVkfbiVqw2Fzi1PqMQ/Y0hLEMJnABpCqK 4OeQ==
X-Gm-Message-State: APjAAAWDYFm0VGEY/ntb6gIvfvAk2KlSb9oLdEaXtey33O20erdtKeXO lhrhpLPp7Jbd0Qo1n9oZi5FbKqXobq5uTKB6Xtq7Uw==
X-Google-Smtp-Source: APXvYqwj19cYpe++6C+vt6xW4ACzOFCJj8H3QoCLID0bwxXnyB9W9DLKAxWyMu7MoWKIe7KPasNTBXKCf8G3Yrxz+RQ=
X-Received: by 2002:a2e:7a03:: with SMTP id v3mr15426649ljc.22.1552278555537; Sun, 10 Mar 2019 21:29:15 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: nalini elkins <>
Date: Mon, 11 Mar 2019 09:59:11 +0530
Message-ID: <>
To: Christian Huitema <>
Cc:, Vittorio Bertola <>,,, "Ackermann, Michael" <>, Stephen Farrell <>
Content-Type: multipart/alternative; boundary="000000000000e5456b0583ca03c7"
Archived-At: <>
Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 04:29:23 -0000

BTW, I am reading the draft Tiru et al just posted on DPRIVE about this
issue to see if we have any comments.

> 4) I am using my work laptop on the enterprise network, and
using application-X

This could be an internal application or on the Internet.

Enterprises have connections to:

- Internal LAN / WAN clients

- "Cloud" (much as I dislike the term) applications

- Business partners

- The Internet

Companies also (validly, in my opinion) wish to know if their employees are
going to while they are supposedly doing work and
of course, other sites which people should not be going to during work
time.  If I am paying someone, I expect them to do work that I wish them to

The cloud example gets quite a bit more complex with some architectures
some companies are proposing where there will be a complicated topology on
premises.   Let me check with the enterprise who told me about this & I
will see if I can post the diagram or an explanation of what is planned.
This is a complex problem.

Thank your for your thoughtful consideration of the issues.  Please let me
know if my explanation makes the requirements any clearer.


On Mon, Mar 11, 2019 at 9:44 AM Christian Huitema <>

> On 3/10/2019 8:25 PM, nalini elkins wrote:
> >  > Similarly, putting DNS in user space allows for immediate adoption
> > of DNSSEC and privacy enhancements, even when the operating system or
> > the local network does not support them
> >
> > At enterprises (banks, insurance, etc) on their internal networks,
> > people run their own DNS servers which may resolve for both internal
> > and external sites.
> >
> > We were recently talking to a Fortune 50 company in the United States
> > about what might happen you install a version of the browser which
> > uses DNS-over-HTTPS automatically.  (Clearly, this applies to any
> > variant.)
> >
> > The questions that the Fortune 50 company architect asked were
> > something like this:
> >
> > 1. You mean that DNS could be resolved outside my enterprise?
> >
> > 2. So whoever that is that resolves my DNS sees the pattern and
> > frequency of what sites my company goes to?
> >
> > 3. How do I change this?
> There are a bunch of conflicting requirements here, and it would be good
> to tease out the contradictions. Consider the following cases:
> 1) I am using my phone, and using application-X.
> 2) I am at home, using application-X on my home computer.
> 3) I am using Wi-Fi in a hotel, and using application-X.
> 4) I am using my work laptop on the enterprise network, and using
> application-X
> 5) I am using my work laptop in a hotel, and using application-X
> 6) I am using my work laptop on the network of a customer, and using
> application-X.
> Today, plenty of people claim the right to control how I use the DNS: my
> phone carrier, my ISP at home, the company that got the contract to
> manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT
> manager for the company that I am visiting. Out of those, there is just
> one scenario for which the claim has some legitimacy: if the company
> pays for my laptop and own the laptop, yes of course it has a legitimate
> claim to control how I am using it. Otherwise, I, the user, get to
> decide. If I like the application's setting better than the network's
> default, then of course I expect those settings to stick.
> -- Christian Huitema

Nalini Elkins
Enterprise Data Center Operators