Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Patrick McManus <> Mon, 25 March 2019 09:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 265E9120389 for <>; Mon, 25 Mar 2019 02:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=B0JGrUGg; dkim=pass (2048-bit key) header.b=fL951X9M
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3VAk4B42K0zh for <>; Mon, 25 Mar 2019 02:31:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4089C120387 for <>; Mon, 25 Mar 2019 02:31:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553506292; cv=none;; s=arc-outbound20181012; b=O0yJtNTW/ir2SgjoP/nPKaGOGVsHTKjagvv76XkfKpqm6/9oJHYoJKJUYWfwjeTpCLl89moV+8oqf AG3t5DBQelHifuz7CgcSgqvlMugyftWrTRRJBVQ+m1N1Ry8/UzMq4ak76oXiIAvwcxxs9KlFxuVkej BW7mNJUwEeLD4OV5E1zZxm28E9+b+KnJ/d+MUAIoClcF204AOe/YYB1jvkT9v82IqMC7liib8Kd1D3 YsHAH2eWy3Te3cbzku2YzN2i8dV0AM6M4uidaxC5cNRS5syyq1qTGEH4J8hCEObxvNKxXzzI9vCPBu 1NGGtrIQzw0cOA1h/RLITkxYBtNfYTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=F+HT/pTxBOW9bo5I6NvsNGeA61tyoHHN/73OUydyCjpjphx6BstsUSoHpXbNw/L2TsnZdwIxZfVzS UVKqYXu6RIgZSXkZUMAaPJ1n+n63Nd+FkLprtXfHC+jszdgc6WkwhwT5zJZDOoIrUXFpcn5ErKQjz2 MZj2plgCgT0SklbJHlOsyVlMu5tR+nyDEn7x3v8t9QVXT8eeQ3ADazEBRE5hW5+zKNyriw+YRjoMfs RWiwnUtknodL8T+hbps0eQuE65RNLbm7Rc0HfqRv8KbTtwGpvu0WKPn24cfVdKBUOJ6sVOlL6gSU15 Qzfk3E9606maRZm1XYtnhEHVAGnz3Kw==
ARC-Authentication-Results: i=1;; spf=pass smtp.remote-ip=; dmarc=none; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=B0JGrUGgoOroP1FaZJDcf+5yXoEBY0EEYVMDE0sucqzsn8cMLBG7ACOlbOfhGvNn+wIOu4GvuAmms x2yxXJ29yE/jvzBuB05Ww333JffI6jfagZuH6e4irR2utw8cJTtdFl6f+u3G1uoKm2Feu/vAEwq75C 6ZDwHrzWYYogh57E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=7RBGxW3NhccRVa/PfRstk5sM+M4XvVxI6oLzE0u9fqY=; b=fL951X9MPYsPMFmvsVqIAJuOGaSbgUDO/8btvnXXn89mIF1XGAsgZ7zM6LOTahee2TKwooM928bqq waYu2H/jvMhFLT4O6kKHSo2tZHfURgreuDl4gSKVEn/zFRRkT0nbE+9otIENknuhV2Yn3tn9rB9QrI 5yLuEdFQdVU5an3gly0n8QmspWYHFJFIYenE4gwfaOOfYms8LAaWk8sGoWTN0MZBNqkEtN66LWBga4 DWtjBAbgE+1BextJJyziQMLeAeFli2/e2e8BTlMv2uq7oxRNm1VpBSqm/EsJ/sprxKbk727jxDJqXj GqJx3iVHsUmtmHOsEHpS1VWxpDtAuqQ==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: c458748a-4ee0-11e9-803b-31925da7267c
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from (unknown []) by (Halon) with ESMTPSA id c458748a-4ee0-11e9-803b-31925da7267c; Mon, 25 Mar 2019 09:31:29 +0000 (UTC)
Received: by with SMTP id c16so7386222otn.4; Mon, 25 Mar 2019 02:31:28 -0700 (PDT)
X-Gm-Message-State: APjAAAVWdTKt/4rVbAxm4KFlpfic0nye41ENYwQQ9PudEYRdpIx8agQR dxh9BuGZnbr3TGCulMcbsGWHImhOuo6QBnhfNfI=
X-Google-Smtp-Source: APXvYqxCT6/Wa+8v2GAt/e2mGmCXpKii+GBClz8Yio8DJlrvAMusLso7XvCd07w89RG7g/GRzn8PxC+TKeOdvu/v1d8=
X-Received: by 2002:a05:6830:183:: with SMTP id q3mr18030074ota.204.1553506288300; Mon, 25 Mar 2019 02:31:28 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Patrick McManus <>
Date: Mon, 25 Mar 2019 10:31:17 +0100
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: Brian Dickson <>
Cc: Patrick McManus <>, "Winfield, Alister" <>, Eric Rescorla <>, "" <>, "" <>, "" <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000007876100584e7de3c"
Archived-At: <>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Mar 2019 09:31:36 -0000

On Mon, Mar 25, 2019 at 9:37 AM Brian Dickson <>

>> \Other than blocking all-but-a-few (or all, or a few) DoT servers, I do
> not believe anyone has proposed explicit downgrade triggers.

that's the downgrade I am referring to

> Or do you mean, when a DoT connection is blocked by e.g. a firewall (or
> other network enforcement device), that an RST is generated? I believe the
> RST requires sequence number validation before it can be processed by the
> TCP stack, which means the entity doing the RST generally needs to be in
> the data path. Other than "lucky guess" or "high volume attempts", I don't
> believe RST to be a serious threat.

path manipulation attacks are real. arp attacks.. bootp attacks.. rouge
access points. stingray. all kinds of things. unauthenticated network
packets are just that: unauthenticated. RST (or blackhole) is a good
indication that a path isn't going to work - its not a good indication of
who is expressing that policy (or whether it is a policy at all).

Anyhow - I'm really not trying to amp up this thread.. I just felt that
there were a few relevant points to the discussion that had not been