Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <mellon@fugue.com> Mon, 20 August 2018 18:16 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB276129619 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 11:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6slNn0fvjKDs for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 11:16:12 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 293DD12872C for <dnsop@ietf.org>; Mon, 20 Aug 2018 11:16:12 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id d9-v6so659387itf.2 for <dnsop@ietf.org>; Mon, 20 Aug 2018 11:16:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2X8GYB4LwwgdnX9DTrVuGg+cXjgUvMUHhQ7jR0BHLPo=; b=OVK/mPmxXREy69mSqco4VVaZ2Xqf/DGCrEEtiHW9HAzWYz+260bl1AskwQY0C1XK2x 4jRdhJLo3gtmYapMPnBBVpoxjjiPH7W1tnFWyt4HIsMbgw0gA9QPJYtwevz6AChgnuhD E+8A7qdRo9T/x9/bAAz0ZgMknGr6kXWnTfXdqpryszfs96c9+Fy+fLYKRHRpmIX7kp8S tZFWDYHXX+mmLmItliy9fFbUWwuKi4BloDWeFx+oA3HD28EEfvkgh3bIwahxBIcLpwB/ 5Ly3BP+XV8QS2PM3q4eJ+ZzShhUofrD6C3LYPwqsnK2NPhAe/Rcze0loojgd90xNsIYD SpJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2X8GYB4LwwgdnX9DTrVuGg+cXjgUvMUHhQ7jR0BHLPo=; b=asTWEeHBgHf+eko/Jh0nEbgcZVXfRTOJPv7Btsy9geSXNMoUd/Q8vUc1i2vLpXmspW olgXydSmmOKqhBc+3E9ujxNzJcsc0DO+7HaYA0GYjvR5NvhpUzbuPRYevcGcFpFitz+M oqgFuIi+a0yCJlKB9ho3wZskEa/R62akl4BlreUfP8fQubkQJnEgASYdroAnp5fk1K+Z 3kQMKIExaJe36FFZxGdgeTmbAjI2epE44Fz/V4E8XZ0cl4I97I6sFA+TNxhPYNdyFU7P MKGNvS6A3xUiEFQSLm2F6vf+FhVl9WfDuHM9rmiFPU7Obx4AalHyHL0l3Z+Dvytnq06X lXDQ==
X-Gm-Message-State: AOUpUlGOCnvYi5j0Wy07VaLFAaxFJzWlGY2/JmafrY2t7vqHdeGEAMSU HtnMQTpVBCyHCLApxHXPGKgwZdUhGes5Zg9QeywUcHxO
X-Google-Smtp-Source: AA+uWPzxaGBTHVcQFW2/hPcYzZskard6rCIY4w/MwEvmN/iu8ze/7N93l1Nh96v05WPMYMcF2JnTzkZBDNgsjinszJU=
X-Received: by 2002:a02:88ad:: with SMTP id n42-v6mr1442670jaj.38.1534788971382; Mon, 20 Aug 2018 11:16:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 11:15:30 -0700 (PDT)
In-Reply-To: <5B7B0465.8060906@redbarn.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <5B7AF30F.7040409@redbarn.org> <CAPt1N1=ad9MyZmHncTfdDV9pPim9cDC=boAFD9UxmXkpX+vg1Q@mail.gmail.com> <5B7B001A.5000907@redbarn.org> <CAPt1N1mfBz3E96ZuLAbBFYzhrwmg8ukrgsabC-duCOj1-rKK4A@mail.gmail.com> <5B7B0465.8060906@redbarn.org>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Aug 2018 14:15:30 -0400
Message-ID: <CAPt1N1m1c6k_Bn8GR4hMRD+A5iBq7bQsZ0CQqcoKJU1Y4nYvvQ@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007202a20573e1e7d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tLY_ODykpNRQUiLrv7aPpt5v7Bk>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 18:16:14 -0000

I think that you are whistling past the graveyard.   If your firewall
allows HTTPS without a proxy, then everything that DoH allows is already
possible, and is probably already being done, because it's so obvious.
If you disagree with me about this (and I can think of a few reasons why
you might) then you should articulate what is possible with DoH that isn't
already possible with HTTPS.

On Mon, Aug 20, 2018 at 2:11 PM, Paul Vixie <paul@redbarn.org> wrote:

>
>
> Ted Lemon wrote:
> ...
>
>> I think HTTPS was pretty hostile to local network policy.   Indeed,
>> there was a big argument about that in the TLS working group over the
>> past few IETFs.   If you don't want people to use DoH, there's an easy
>> solution, which you already need to use regardless: you have to MiTM
>> their HTTTPS traffic.   If you don't agree that you have to MiTM their
>> HTTPS traffic to achieve what you want, then I think we are not arguing
>> about the same thing.
>>
>
> it used to be occasionally necessary. with DOH it will be universally
> nec'y. this will add complexity (so, cost and error rate) and increase
> surveillance. the DOH people should be told not to proceed to draft
> standard until their design accommodates the needs of network operators.
>
> --
> P Vixie
>
>