Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Ted Hardie <ted.ietf@gmail.com> Mon, 11 March 2019 17:03 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964DD131168; Mon, 11 Mar 2019 10:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9NaYsJ9E4Sl; Mon, 11 Mar 2019 10:03:36 -0700 (PDT)
Received: from mail-it1-x135.google.com (mail-it1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D68B131182; Mon, 11 Mar 2019 10:03:25 -0700 (PDT)
Received: by mail-it1-x135.google.com with SMTP id m137so8455363ita.0; Mon, 11 Mar 2019 10:03:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Yd6n3AAmFUFkezRkU9KLl+BvfOV+kL1KlVMPVmrG6VQ=; b=eegCwYijw1iW8v2FxoduBdLswu5LrNzBoQFSejjbnmUSaRJhe8ONfsyJ1Ll/wxcYRY thlqQqs33oqXWvK6VQe+G1lXmfbWOQ/gE+/aReb/gnpqy1KEkAV/2kxJAw2oQSAu45Et Ph9EN/PM8fASHXInmXFmMMK/sTSbwthD8Qv2bfPc8v5LKXygxbVg5V11PKDZvjPY53q3 0qrE+Ub/vH995cdMxtywGQFOiAMj/NZ9zO5335l1wjSX5WAwD5es1Sq1lgdlDKDWpesd jJ4hAD5M4FK66eXjID3yMEeUiojIzoobGcoByNoo4b/KziXWDIVwhw1xFlDWaLAMe6YZ sQmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yd6n3AAmFUFkezRkU9KLl+BvfOV+kL1KlVMPVmrG6VQ=; b=SVbzkUuaL4t3MFrT+MeWAUohHbr8XBiA5zRb+sUqwzIs7v1kZ2xnLG8PXKbLopqy0n 5/aAFgCk1RjvOaZGxB9OG60J9XktIAPsO4Kj4+SgSfjU137u1pVZsS7OEqpCha9RD5Bu bhMtZCTPW5KvGdylLjXUeY0pJ2NCsMVhMJOkyO6ahdyQ60Vc081vYR6BaugbFBC7mP7W 7eqwA+pB/6eSH3l8krzKO2qawEFpMr4UihJQxySFgiP3dMknMG/gd01iv9QDAcig1lNl lgvA0H3VxKw4RrQDiVdOPXyji8rcSC3Pwae7qtOh3v9EXcqX6uKmI/bA3XT4lQWWOosR 4Amw==
X-Gm-Message-State: APjAAAWNgNG97Gp7cok5f55CyEERMB4F9598FWzn2m1ro57KTCQD5m7n p9WCmSLzn9UEmyeM+Ck/PJ1WzUsvIgW0B/xLY3pnSFWK
X-Google-Smtp-Source: APXvYqyCmyBW/4MH8TdRnzsMzxlSk9p8pInoqNIXisfS1dnIv3OkWHqmGQKkL+oYJ5I2LVsMQAfZ8CtVxosrBKx4+t8=
X-Received: by 2002:a24:7c0b:: with SMTP id a11mr7258itd.161.1552323804430; Mon, 11 Mar 2019 10:03:24 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <FACB852B-4BC4-4234-A728-9068708EFB10@rfc1035.com> <CAHw9_iKc5_i+rC-oOe3RJufFe_Jm3GmTN4UbQ6VLpcqodR8d9g@mail.gmail.com> <8855871d-c059-3938-12a1-62f21c089e1d@redbarn.org>
In-Reply-To: <8855871d-c059-3938-12a1-62f21c089e1d@redbarn.org>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Mon, 11 Mar 2019 10:02:58 -0700
Message-ID: <CA+9kkMAxVzQi6o7FMEW6L5fC4x_VEAa9X7vjyUu==gjuAxTaeA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Warren Kumari <warren@kumari.net>, Jim Reid <jim@rfc1035.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f08c870583d48cbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RyutRrkFCT3BU8dCRphVucshkPw>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 17:03:44 -0000

On Sat, Mar 9, 2019 at 11:03 PM Paul Vixie <paul@redbarn.org> wrote:

>
>
> Warren Kumari wrote on 2019-03-09 22:48:
> > [ + DNSOP]
> >
> > ...
> >
> > I think it would be very valuable to not conflate DNS-over-HTTPS (the
> > protocol) with the "applications might choose to use their own
> > resolvers" concerns.
>
> i disagree. as an example:
>
> >    Two primary use cases were considered during this protocol's
> >    development.  These use cases are preventing on-path devices from
> >    interfering with DNS operations, ...
>
> (from the Introduction of RFC 8484.)
>
> no other off-network RDNS is reachable by malware which somehow gets
> into my network,


I interpret this to mean that you have blocked DNS over TLS's well-known
port (853), so that Quad 9 and other services offering it are not
accessible.  Is that correct, or do you mean something more extensive?

As several other folks have pointed out, roll-your-own resolution is in
some pretty widely used applications, but I'm not aware of any
comprehensive list or any way to block that short of removing the
applications once found.  Is there a technique here I'm not aware of?

Ted