Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <mellon@fugue.com> Wed, 22 August 2018 13:11 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B56612F1AC for <dnsop@ietfa.amsl.com>; Wed, 22 Aug 2018 06:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1b3BALt8npwl for <dnsop@ietfa.amsl.com>; Wed, 22 Aug 2018 06:11:16 -0700 (PDT)
Received: from mail-io0-x243.google.com (mail-io0-x243.google.com [IPv6:2607:f8b0:4001:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65925127333 for <dnsop@ietf.org>; Wed, 22 Aug 2018 06:11:16 -0700 (PDT)
Received: by mail-io0-x243.google.com with SMTP id q4-v6so1355492iob.8 for <dnsop@ietf.org>; Wed, 22 Aug 2018 06:11:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=56V9LsVpU9xHmNWl31wBnS097VOfeP3U2GtEhdHD2Ck=; b=ZG9e4mfSlrrfLTrhG+JSOnLrE2Y46tD+cMG8+04+alS8BjN1VQBoegWixuwMN8KUoL GuyM+doUPZ4Tjs5538jUA7azk9EbkNql20YzIGIN2xQ1LfXh2+BCFgm9VDVyHHWZBP4+ /0+xkG3KctsMRrdSmqvF9OaeKUcyknZdMrjwBgIPomACL4KBC8/+xC+pYMUZ5UvHlxf4 DYEN5lqNVN8c+H0VgfxDYB1/WXfCS4PB7CVpsLusWvUVe8fK9yM8apS8rCh+HwFu97tL B9jz2sgCVgZMJYVxHqZQ/LtpkOMhVnq0ROtcVwUCYkMoTCy0rjf1h5WrnABVNAY7l/Bg mmlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=56V9LsVpU9xHmNWl31wBnS097VOfeP3U2GtEhdHD2Ck=; b=rpxH4Bj0g2mSFwlyryzczRIgSE1fckohycmQX3wCPNnbBO+kB5xBlYKqzyM8y/dGeB HyqayWz8v31VdccKh7avW0zxE6kqel7zqAkC3z/NSOtY9GiZh7APWoOuv59n/C/7p3o5 /5lJkxw7v2zA3RLOuIXUZ2BEz80PnSCFRmU0CPZCd+mK+M0Hk9nDVxHQQ1UzdVj57cKf f7Ju4C4xDuL0I6QMq4efAS9lDG3fgc6WLJw2DSIDNt8gC0a9Ebxid9IRZC4BcunDwrOH a+elLhYWQj4BEOmGiHy1k+ovMsaxFBkHzGAwMW15YFZjd27mhKXjwfQ/CwPmd905yarb NJ+A==
X-Gm-Message-State: AOUpUlHjr0qFk2S+qzcMjqc/zS6p6pDtzAOHkAU4mmPXOAZkxrKRYt1d 7NT7RpVaP8R/tHTKrzMH3XvKSeyyhZY9mftJwLB8cvcG
X-Google-Smtp-Source: AA+uWPwt3DrDFTbY+y9kutPJ7OGrWkTE8+Co7gb4w7tsbJ/FoECqixcCufw+lR+a1pPTNQEXXnA2j2foejdqRlcPdz4=
X-Received: by 2002:a6b:4c5:: with SMTP id 188-v6mr47892821ioe.32.1534943475389; Wed, 22 Aug 2018 06:11:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a006:0:0:0:0:0 with HTTP; Wed, 22 Aug 2018 06:10:34 -0700 (PDT)
In-Reply-To: <318323950.21554.1534926760460@appsuite.open-xchange.com>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <CAPt1N1myrdOywur35rXRab2QCrhFiJ0vS4wnT_Pof0epdOPz7A@mail.gmail.com> <471139805.18285.1534847636363@appsuite.open-xchange.com> <FBE862C5-6999-4D2F-A877-4ACDF1F5FBF1@virtualized.org> <318323950.21554.1534926760460@appsuite.open-xchange.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 22 Aug 2018 09:10:34 -0400
Message-ID: <CAPt1N1nFATxZQaw0kEwpaAFK67otwVCLfvOgg8+CLDasV66MQw@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Cc: David Conrad <drc@virtualized.org>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000099efd9057405e058"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vjk0YpXMVloXr62UqkvLSef-RaQ>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 13:11:23 -0000

Again, to repeat myself once more, one more time, I am asking that we
actually decide what to recommend, and not just say "we all already all
know what the right behavior is."   If we all agreed on what the correct
behavior was, we wouldn't be having this discussion.   Maybe if we tried to
describe what we all think the correct behavior was, we would realize that
we do agree on it, but we haven't done that yet.   And the possible set of
all behaviors is more complicated than you suggest.

On Wed, Aug 22, 2018 at 4:32 AM, Vittorio Bertola <
vittorio.bertola@open-xchange.com> wrote:

> > Il 21 agosto 2018 alle 19.36 David Conrad <drc@virtualized.org> ha
> scritto:
> >
> >  Vittorio,
> >
> >
> > Perhaps I’m misunderstanding: are you saying the folks who provide
> resolution services in a DoH world would have incentive to not follow basic
> security measures?
>
> The definition of what is safe for browsing and what is not is highly
> local - each network and each country have their policies. How could a
> QuadX operator implement a filter that fits the needs of the entire planet?
>
> (Unless we imagine a model in which the DoH operator receives policies
> from networks and countries and applies them depending on where the request
> is coming from.)
>
> Also, network operators have a direct interest in implementing security
> measures to prevent threats from spreading to more devices on their
> network. What's the incentive for a centralized DoH operator to spend money
> and time in security filters?
>
> Regards,
> --
>
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com
> Office @ Via Treviso 12, 10144 Torino, Italy
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>