Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Wes Hardaker <wjhns1@hardakers.net> Thu, 21 March 2019 23:21 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C068F131284; Thu, 21 Mar 2019 16:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKHBSC9303PC; Thu, 21 Mar 2019 16:21:32 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CD5913124A; Thu, 21 Mar 2019 16:21:32 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id E65E125ABF; Thu, 21 Mar 2019 16:21:31 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop <dnsop@ietf.org>, DoH WG <doh@ietf.org>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca> <2145465817.5147.1553119548565@appsuite.open-xchange.com>
Date: Thu, 21 Mar 2019 16:21:31 -0700
In-Reply-To: <2145465817.5147.1553119548565@appsuite.open-xchange.com> (Vittorio Bertola's message of "Wed, 20 Mar 2019 23:05:48 +0100 (CET)")
Message-ID: <yblh8bv95l0.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/je9OQmbL-pjQVSfNBP3zAk_gQ3g>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 23:21:35 -0000

Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>;
writes:

> This is actually the recommendation in section 4.6 of my draft :-) And
> I agree, it looks like the only possible and reasonable compromise
> between the two viewpoints.

Another way of stating the preference ordering:

If DNS privacy is a goal, systems and applications SHOULD use DNS over
TLS to encrypt traffic to their local resolver if possible (unless the
system and application distrusts the local resolver infrastructure).
Failing that, they MAY next use a DNS over TLS connection to a remote,
potentially public, DNS resolver.  Failing that, they MAY send DNS
traffic over an HTTPS connection.

This preserves privacy as desired while still optimizing local caching,
round trip speeds, and falling back to the must tunneling only as
needed.

What no one has convinced me of (personally) is why applications should
default to a single resolver over HTTPS at all times, regardless of
where I am on the planet.

-- 
Wes Hardaker
USC/ISI