Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <> Sun, 19 August 2018 17:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B60D1130E4D for <>; Sun, 19 Aug 2018 10:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dbu5xlgwAgN3 for <>; Sun, 19 Aug 2018 10:08:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BA6AD130E4A for <>; Sun, 19 Aug 2018 10:08:18 -0700 (PDT)
Received: by with SMTP id n18-v6so10748685ioa.9 for <>; Sun, 19 Aug 2018 10:08:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/elsQfmJO8x1yJHCAm2st0+AX+AZ7x+mAxylkLctmqQ=; b=oq0eFq+ksdBNBWixavFJXkYmgGTVLlsGJdTV0Fc97bzuKcFjGxjZTCN3du6MsMbHai 1f0QUH3/6ul1sJZP33jsnXjaGORawVNyuj6ESDv+IdzTsI8Pw6sUg3SBUA3SmKudBdPj 6iUk78gm5YsDDWe07FuJGn9fRG8w0ey7eHZBXnazmDE9ROBUjKjFnz/Rt0qUTEzVDtDR qMeBOTYEkNVYR4WAHV1y1L9DbI1qwGrPcFXMr8Q9OPnBKIDNb15jvTV5J9fC6DUM0p67 Li1mRkbZy1RtsWXPgqpvysSL++2aKKwwEe+6ffkHmEQkaoz/MmWkgBgsB7aZUe7F7QoG BXzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/elsQfmJO8x1yJHCAm2st0+AX+AZ7x+mAxylkLctmqQ=; b=mdYRMLpwSFzQhiGMp/PFE9d52o5uWIEMN015uMNToEbufoq0ebvbnqBOh2UohZbE9U lfloEh2dpKYjrnq76DHbrUpwGgsdhLkVC26114X9KCmjNNpgvGYyo5w54Wqa8HGF18Gv 1N+GXHUCmuCMgFQMY69/1Pi/0iZnVapNBulQd1zI9w2/Nlw4ee8CnjSYbIdR/kDcI2tB EmtqxIMFQqAG5ExXzIHKYBlUSfhQu4y0lDAGQ7FlcxKFLJ0AFvwJHP43xQycoUk+xtPA 1yPd7ID9ySsNTgcAkBR+0BoTQNc513je1UsTWzr+bHzCFd0/VDm0KKK9LbFIicduLZ4R uxsA==
X-Gm-Message-State: AOUpUlG4otk62xeFboORwGFmjjj8aNptJlNTX7720DxxqW+oAv8Hr/ZM CIwZGxvlaNAhUnRdRRFbYzJXWbDD6X9G+vTLevu7QSt8
X-Google-Smtp-Source: AA+uWPzqqxg4mOKanig9P/brKFM3iREGIOMdvzlUvq+IvOITXxEXi7dgAzllPZZ93O6BgrC9hYKFYaM7wkobr4M8fyo=
X-Received: by 2002:a6b:dd01:: with SMTP id f1-v6mr35669889ioc.45.1534698497921; Sun, 19 Aug 2018 10:08:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Sun, 19 Aug 2018 10:07:37 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
From: Ted Lemon <>
Date: Sun, 19 Aug 2018 13:07:37 -0400
Message-ID: <>
To: Doug Barton <>
Cc: dnsop WG <>
Content-Type: multipart/alternative; boundary="000000000000ce73950573ccd6c9"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 17:08:22 -0000

I went over this in some detail a while back, but to recap, the point of
something like DoH or DoT is to protect the client from eavesdropping.
 There are three senses in which this can be useful.

   - First, that there is a trust relationship between the client and the
   server, which is validated using PKI.   This trust relationship prevents
   anyone other than the trusted server from seeing the client's queries.
   - Second, that the client just wants protection from eavesdropping on
   the local wire, and doesn't actually trust the network operator, but uses
   the provided DoT or DoH information because it protects from third party
   - Third, the client has a trust relationship with the provider because
   the provider of the client software configured it that way.

What's important about this is that the first and second types of trust
relationships are mutually exclusive.   If you have the first, that
precludes the second.   You have to pick which one you want.   The third is
essentially a special case of the first, but I mention it because people
tend to describe them as if they are different.

So if you are relying on the first kind of trust relationship, then you
can't use DHCP, because you have no trust relationship with DHCP.  If you
are relying on the second trust relationship, you are assuming that the
network operator is competent; otherwise a third party can still eavesdrop
on your traffic by providing DHCP service on the local wire.   Paul and
Bert have talked about why the third kind of trust relationship is

So you have trust relationship one, which has the problems Paul talks
about.   You have trust relationship two, which has a different set of
problems, and is incompatible with trust relationship one.   And you have
trust relationship three, which is a special case of trust relationship one.

The DHCP solution is compatible only with trust relationship two.   So if
the IETF were to recommend this way of configuring DoH and DoT, we would
essentially be throwing away the privacy benefits of DoH and DoT (assuming
that such benefits exist).   Paul states this as if it's just obvious that
when you are connected to a particular network, you have to follow the
rules of that network, but this is kind of a special-case argument: Paul
runs his network that way, and he gave some examples of other networks that
are run that way, but there are also lots of networks that aren't run that
way, and as an end user who owns his device and does not live in a country
that censors the Internet, I am not willing to have the internet censorship
case be the default case.   If a device were to treat that as the default
case, I would not want to use that device.

I will freely admit that this is not clear-cut, but that's really my
point.   I believe that it is wrong to advance a DHCP-based solution
without consensus that we prefer the second trust model, and I don't think
such a consensus is attainable.   Pursuing a DHCP-based solution without
that consensus is simply a way of bypassing the consensus process, in the
sense of deciding that there is no need to get consensus on which trust
model we prefer before choosing a trust model.

On Sun, Aug 19, 2018 at 12:43 PM, Doug Barton <> wrote:

> On 08/18/2018 06:08 PM, Ted Lemon wrote:
>> The thing is that most devices don't connect to just one network.   So
>> while your devices on your network can certainly trust port 853 on your
>> network, when they roam to other networks, they have no reason to trust
>> it.   If you have devices that never roam to other networks, that's fine,
>> but we have to design for the more general case.   There's no way with DHCP
>> for the device to tell that it's connected to a particular network, other
>> than matching IP addresses, which isn't a great idea.
> Ted,
> I'd like to turn your question back to you. What threat model are you
> protecting the user from by not allowing a DHCP option to use a DOH or DOT
> server?
> It seems to me that in the overwhelming majority of cases (near 100%) the
> user is going to get their local resolver from the DHCP server, whether
> they are on a trusted network (like work or home), or roaming at Eve's
> Coffee Shop.
> So either you have a sophisticated user who has preconfigured their own
> resolver and ignores the DHCP setting, or you have the typical user who
> doesn't understand how any of this stuff works, and therefore has implicit
> "trust" regarding the local network and the settings from the DHCP server.
> Given that (and feel free to tell me if I've missed something), what harm
> can come to the user if the resolver that they are already trusting can
> also be accessed over DOH or DOT?
> Doug
> _______________________________________________
> DNSOP mailing list