Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 25 March 2019 09:01 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5AE512037E; Mon, 25 Mar 2019 02:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tGMB3e37ECq; Mon, 25 Mar 2019 02:01:44 -0700 (PDT)
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29BEB12037A; Mon, 25 Mar 2019 02:01:44 -0700 (PDT)
Received: by mail-qt1-x842.google.com with SMTP id z16so9365439qtn.4; Mon, 25 Mar 2019 02:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kQyYc58rtKJj0MSMFujeBlb9FM7G3kiQGcQ34tV/ooI=; b=RdYxc5k3ora5j9a/D2KxKvNrEtG4hVo2lbFY0a/y7wlhutptcZx6Y+Z5QOU+YTOTwR D/rBsqIejQxEkmgo7cYQ4ZRmi6QiJNcn+PAqh+fM3tRdJiO8pduSO/Qi+yEMXaiNwY/A N4J68HcSWlnFZpGAB1j+DqWxuha0OgMFPBWCohK4riI5xAxlnHDE1zsI2946oVTZGdP9 Qqp7DPdlFD4uLH2KmN55KjSPxMDrZ52Bf7ZHJXeh3qFjzJt5BTovN77cv540E3smQmg7 6OncDXI5gxl69Q2+Gi6fIjfoslFv6vyx2ahVbW6ShmdrEMm0ljMhRM0PEl6kwImNbqQT 2J5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kQyYc58rtKJj0MSMFujeBlb9FM7G3kiQGcQ34tV/ooI=; b=EwNW48iburjZ1q27ebn8nEV0UqR2PGDz6FtDGqlJPuKw3yGeR8x2U/9kWhwnSnD9/Q Jvek6Qf1jSZZ3h11EZlBg0e/CNPYqFwVqwHKnhWKtpWH5JcH4MB9C5239ZueFCsE0Lno 1WlMYCAl6F3YLzSVwcfCS72j1yLxI646g/bi9PFUDWibNrypIAz5JRoaTtQwVYnqvFGp fp1nytymU17rxsaEuJHUY0PesrxvyXAIidegRE3h51F9k6z7LhR4MxIF/Wi9wWKRnLcU iR7ENTYeP/exMBgiLsms4mRWW6tq/Avsxb/M56uDOWy9+CwzpR5anwv+t8ggac4fAuA+ lmeQ==
X-Gm-Message-State: APjAAAVX0SO6KVVt4EXdZ3vlh2k4WcfVeXHmMaRqrHcxMs1OPYqZzMt+ Ad9rckP3qVJqdRWB9YhAwfB++Q1rFORtwaviyek=
X-Google-Smtp-Source: APXvYqyGN5v32lep66ovfIYgsHDEvq4IbV9gHMIiZzdP5B2ucuMtM/RNipKD/LthezHrtVElTHiYgjFyJZiS7ffTVbw=
X-Received: by 2002:ac8:1707:: with SMTP id w7mr18927312qtj.324.1553504503281; Mon, 25 Mar 2019 02:01:43 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk> <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com> <1C720263-10E4-423B-B152-5673E115A4C1@gmail.com> <CAOdDvNrQiM2bpi65tCvwjanQTM1KtcZjRL0aOwS2oAryTR-YEA@mail.gmail.com> <E7E54A3B-4C85-4B64-BEFD-51891534DC9D@gmail.com> <CAOdDvNqKja9SRWa7FpjnGR3XZbVwZbitoU0yuWc+oXw3xXFEQA@mail.gmail.com> <CAH1iCiq-XaeTN_O7rDkKQy6OQaqqyMb=dFoQ-gAEjTMOsVbcBQ@mail.gmail.com> <CACQYfi+Z5afYmenU20wDnsZbV2r-LX7K07+y=CBDzHvjU9hSVg@mail.gmail.com>
In-Reply-To: <CACQYfi+Z5afYmenU20wDnsZbV2r-LX7K07+y=CBDzHvjU9hSVg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 25 Mar 2019 10:01:26 +0100
Message-ID: <CAH1iCiotvQ6ONxgyrYbqPqeVLWRK=KWhVxPruCDx3UJ0opb6HQ@mail.gmail.com>
To: Valentin Gosu <valentin.gosu@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Eric Rescorla <ekr@rtfm.com>, "doh@ietf.org" <doh@ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000133def0584e774bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hKWz7mgUuKF2p4pMiEtL2VVw504>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 09:01:47 -0000

On Mon, Mar 25, 2019 at 9:52 AM Valentin Gosu <valentin.gosu@gmail.com>;
wrote:

> On Mon, 25 Mar 2019 at 09:15, Brian Dickson <brian.peter.dickson@gmail.com>;
> wrote:
>
>>
>>
>> On Mon, Mar 25, 2019 at 8:52 AM Patrick McManus <mcmanus@ducksong.com>;
>> wrote:
>>
>>> I'm not pushing against DoT per se in this thread, I am pushing against
>>> the notion that a client has an obligation to the network to provide a
>>> clear channel for traffic analysis and downgrade triggers.
>>>
>>> fwiw - there are lots of reasons an http client is going to be
>>> interested in an http substrate beyond just traffic analysis defense. It
>>> has the potential for better overall application responsiveness - by
>>> sharing connections and handshakes with other http data. I don't think that
>>> particular discussion is important to this thread.
>>>
>>
>>
>> The DoH operators who have made public statements (google and cloudflare
>> are two I am aware of), have specifically indicated that NO OTHER HTTPS
>> TRAFFIC will be shared on the IPv{46} addresses serving Do{HT}.
>>
>> So, the handshakes and sharing argument is specious at best, and bogus at
>> worst.
>>
>
> That may be true for Google and Cloudflare right now. But if I will be
> running my own DoH server it would probably be on AWS or compute engine
> along with any other website I'm currently running, so the connection
> sharing WILL happen.
>

Okay, that's a useful anecdote/datapoint.

Have you considered whether you will need to operate DoT as well, in case
DoH is blocked from some networks that do not also block DoT?

I.e. fallback from DoH to DoT rather than fall all the way back to Do53?

Brian