Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Vittorio Bertola <vittorio.bertola@open-xchange.com> Wed, 22 August 2018 08:32 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E257E130EBB for <dnsop@ietfa.amsl.com>; Wed, 22 Aug 2018 01:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBW6PnWlwArx for <dnsop@ietfa.amsl.com>; Wed, 22 Aug 2018 01:32:42 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62DA1120049 for <dnsop@ietf.org>; Wed, 22 Aug 2018 01:32:42 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id B5AE16A36A; Wed, 22 Aug 2018 10:32:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1534926760; bh=KyoMRJvfqB3/cQmmFsyreEIyhX2Sw4j+OckqgLujk1g=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=QjN8qC4VX71B1UA2aCcaN2hTPow5MTmZvoF7XOhhoZmVCtbWuiXOpZi0OXfZ214Lc S2DjeNYKSMpW8Ahyqo351IfQS189KtYNc9HPtFeskR4lTBCgMi7mIWyjZbCP0/w1i7 3oTRMGm2vNSsaOdN2WzkoqAZ3NjEbtnDM2LMWeg/W+HduMVELKStPxGBhoCiYBNCVt M6Kh/KZBN+MSqP7PnuvdijSTrrJNel499eH9nDJzhQcZBqNqWxHW+lgghwjRzmelGp Qok7vy3f4wakYLG9VQR9VPKtWc4NXN5s+cuNpFz+ciTUUxTC2CUpzHSJzQ6vpJS0R2 HnLM4CAS9f2lw==
Received: from null (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 80FBA3C1580; Wed, 22 Aug 2018 10:32:40 +0200 (CEST)
Date: Wed, 22 Aug 2018 10:32:40 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: David Conrad <drc@virtualized.org>
Cc: dnsop WG <dnsop@ietf.org>
Message-ID: <318323950.21554.1534926760460@appsuite.open-xchange.com>
In-Reply-To: <FBE862C5-6999-4D2F-A877-4ACDF1F5FBF1@virtualized.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com> <FBE862C5-6999-4D2F-A877-4ACDF1F5FBF1@virtualized.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.0-Rev11
X-Originating-Client: open-xchange-appsuite
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lLJIe1WaxK300Sbh-iDkH4EFq2M>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 08:32:44 -0000

> Il 21 agosto 2018 alle 19.36 David Conrad <drc@virtualized.org> ha scritto: 
>  
>  Vittorio, 
> 
> 
> Perhaps I’m misunderstanding: are you saying the folks who provide resolution services in a DoH world would have incentive to not follow basic security measures?

The definition of what is safe for browsing and what is not is highly local - each network and each country have their policies. How could a QuadX operator implement a filter that fits the needs of the entire planet?

(Unless we imagine a model in which the DoH operator receives policies from networks and countries and applies them depending on where the request is coming from.)

Also, network operators have a direct interest in implementing security measures to prevent threats from spreading to more devices on their network. What's the incentive for a centralized DoH operator to spend money and time in security filters?
 
Regards,
-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy