Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Christian Huitema <huitema@huitema.net> Fri, 22 March 2019 03:40 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B611130E62 for <dnsop@ietfa.amsl.com>; Thu, 21 Mar 2019 20:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ofA9Q1V-EuF3 for <dnsop@ietfa.amsl.com>; Thu, 21 Mar 2019 20:40:52 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79DD4130DC2 for <dnsop@ietf.org>; Thu, 21 Mar 2019 20:40:52 -0700 (PDT)
Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx114.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1h7B34-000d7h-Bs for dnsop@ietf.org; Fri, 22 Mar 2019 04:40:52 +0100
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1h7B2v-0000z4-Ab for dnsop@ietf.org; Thu, 21 Mar 2019 23:40:45 -0400
Received: (qmail 27108 invoked from network); 22 Mar 2019 03:40:36 -0000
Received: from unknown (HELO [26.250.239.147]) (Authenticated-user:_huitema@huitema.net@[172.56.30.8]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>; 22 Mar 2019 03:40:36 -0000
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <yblh8bv95l0.fsf@w7.hardakers.net>
Date: Fri, 22 Mar 2019 04:40:31 +0100
Cc: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>, DoH WG <doh@ietf.org>, Joe Abley <jabley@hopcount.ca>
Content-Transfer-Encoding: quoted-printable
Message-Id: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca> <2145465817.5147.1553119548565@appsuite.open-xchange.com> <yblh8bv95l0.fsf@w7.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Originating-IP: 168.144.250.245
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.17)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5haVFYBcslj+yaxjmg2gcfx602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO1HF+STREOMSVVRlQBhMBwlVjyn5UrUp4n4yKOOaq9AxOjisgkl/hpcoPH66M58VD1Dj fzzJ6O8jiVhZi+WiYeCsScX6I9Dl5i6VrUM1b/j5+lC8ScYqqrIKKgZkuEMYGaXe0Of4jddu9xC8 8+iQ5nb6BRFVjXUbiREH8mlR1JtPfYZ1V10x8j0kNETJD+nyXtcV2Hz37FuQUlYMDMlHwjIJ0464 etNXHOU+5Kb0QuG3bATPP9eeLWC5kDweN7crsXBXvrLBlKCVRjjdPbjQ4HmidG0pg2HLuLsP3mPp isElTs5Ex5aNZlcgVQFtAhrEij3dKxLhoxcmaInYbR5vlqETd+klAX+KFYkIxu6zxdn+1QmdZsu6 kxo/qWEj6Z1d7VIcMSgqtcKbU9La+AHiCFB9vuYMeDoXsMJDD9CZFW2DHXeua4usuyudZl7ZJWmg 5a0jiD6XqsJZtjQxlyCdseytLy0an6SuH9Dnc48fGLIT5nvmah7oAQX1Q8bvqOef6+HhG1uxx9By 0GamQqOm3gNqJvBXd7I82n0qpCzrPWiSwKPXNKNk2RVY2K5nyLgw1RWkNIWnHjoiI9QIik6sV5hq 8RGminksXtFq8ejOBuf1PiUt8a2Lj9MmCjDfgJI6+fEKFx8hzfwEGiRmbFGMHRaDg5/bq7ChmPMN Ycw1QSmR089+p3Pt6XjeWR7Rw+YPU+D1T5zu1FOZ2FBYXV0BGP1m4zuNRcgRKiGg7nXFaZTxCXRq rnqpvNj9xYi9OgZhisGkxkte1vyWWpOPNVWEuo6+NTKQHNkjJg8xvPcdYB8Xf5AUf1kCAsFmubjw BGSJFf27lItOpPwlvQ6ktwDuRituj6ZEfB9v4x8THVh0rVtlyOZYRaCjaXhrY3nerbmurCmoQsay Zkd2YakTHWoyevr4xM5tUrEfL92iWzfzWX2vc1ctxv2vDEIpeWV/lG6Wmg==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sT_5Met6mNc7X7Fti6kdoOGvGF0>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 03:40:55 -0000

 

> On Mar 22, 2019, at 12:21 AM, Wes Hardaker <wjhns1@hardakers.net>; wrote:
> 
> If DNS privacy is a goal, systems and applications SHOULD use DNS over
> TLS to encrypt traffic to their local resolver if possible (unless the
> system and application distrusts the local resolver infrastructure).

Maybe we should start by defining DNS Privacy. There are two issues: using an encrypted transport; and, using a DNS resolver trusted to respect the privacy of queries. Both are necessary. One without the other makes little sense.

Much of the debate is on the second point. One position is that users should be forced to trust the DNS resolver provided by the local infrastructure. Another position is that users have the right to apply their own policy and decide which server they will trust, based on some configuration.

-- Christian Huitema