Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator

Patrick McManus <mcmanus@ducksong.com> Sun, 24 March 2019 20:44 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70E51200F1 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 13:44:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=V5FxgDEY; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=mos9Lnb0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dG_zkg8elT06 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 13:44:17 -0700 (PDT)
Received: from outbound1g.eu.mailhop.org (outbound1g.eu.mailhop.org [52.28.6.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30AFF120094 for <dnsop@ietf.org>; Sun, 24 Mar 2019 13:44:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553460255; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=EXD/TYRroHaUTr9YsxEKu+6s3CT+OAv0cPimVFMS8QoLpkDLyizyX+9HDT3eyOsFFltDL5Gkimc0g 9kDO8t0erQcHoJd2Gu8SWhyjquDByix4xnwfNo5ht+t17H2ZSfnq7gY/WQB5cfn32iZZ3eltiI0Hp6 LvWkWHV29FH0WvOc/iqH25hnfAyecrzzqHg9ILCrYfo7oAKddlscUuv53aU7aRI67uyKQX5c7xhn4J nBD5saNBQti9t58OT9N2cZJ1+RqzNiVEBevKkeXdbTZZyT49SPmY2QCGc7ncOAreKnmwpQ6IU0ZNAY K4F+yvw5W2zMfjJ3/6ywK3gKZQ5P4Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=KL7bmRSIX3lKgoCc7LyASVFMpIpMFxu/SVDG29pJ5oY=; b=uHIRACjJw8nTkPWxD/jBEGoQDiZftEJZXzx754zRN0Qcmn1hClTUBjBDqLO60ysv1onJ05XD+VQ/9 HpSStBCmiyBYbYUZ25fV0Y+vb8qsvVtr0WahknkkmlVEQu3VGPh6lzom6BO/UT6ilY38IcJMsAqTyX RmQyAizJqzPPiEHYuNTuhAAQs621XuuZJVajoquDxnannohRZ8Ty8aBmPpHTWg8Cdnzz+A41KYy4jO vsiG120cbHvBjw/q2bGzuzQAgyT2ZP3M6hSOiYQMD7f6Ufoq3Fqd+BigdrsOKpAvlzduYyljJ3JEMy ksg90SiqcNE0VIcuOePYzJz/VLu2mrQ==
ARC-Authentication-Results: i=1; outbound3.eu.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.174; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=KL7bmRSIX3lKgoCc7LyASVFMpIpMFxu/SVDG29pJ5oY=; b=V5FxgDEYoLJskMR4esVttfNl5P2EDPdtp/CL3tU3sM78nXyjKdBpydytiQ0IAQ51dyvaS1Lyyt3cy ZjgqJFQuIWO9++yuR6+YJB39skqnzmwzahG80jhjGFM5VUC+qMikt/C43H+aFahzF3EXhTBPFlOW92 5m3sysbr7M8gYWz4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=KL7bmRSIX3lKgoCc7LyASVFMpIpMFxu/SVDG29pJ5oY=; b=mos9Lnb0mMXFO84grNVPNViSxuw6E8X/M7f+RK19+aUEEKSyXMlO3g0RFbBrxzX5D5ExnxByw5NAA dTip7lNzyXRFI1g0RcX0WEKNfkhd5rfvde4pfnIvmbDJ70WYe8AZekZROK6Jib/8P8lPtRpopdVRSU Z8hOBuHfhnwl0MqD4uko9scu4ZeoZog+eZoJ/Co2Fj/vYxycPggxLuUljPumcPIB39BWHDWg5zeyzC eLV8Pn0/6X6F30tUzrk6ikLIoc4xpBHJS2OVlsC9ujWzmB/kTF4M8EU0Sw58buB4QHUobNvEUWQluR +r3HROyjJ710X8xllgGCuHxQoLP1KqQ==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 941a59f6-4e75-11e9-908b-352056dbf2de
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.174
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f174.google.com (unknown [209.85.167.174]) by outbound3.eu.mailhop.org (Halon) with ESMTPSA id 941a59f6-4e75-11e9-908b-352056dbf2de; Sun, 24 Mar 2019 20:44:13 +0000 (UTC)
Received: by mail-oi1-f174.google.com with SMTP id x188so5385783oia.13; Sun, 24 Mar 2019 13:44:11 -0700 (PDT)
X-Gm-Message-State: APjAAAVMJWKh1roAuuK8WmI8jyjD5x52J7lPbxiEeiaF1I5RYs3hNoFP Ihtgu/Kz9j+KLmuu8TBSJztYBrhwi6n/ft60WX4=
X-Google-Smtp-Source: APXvYqzOL1WVwmgFT0dmHnlPqu6BUv+lgWaca2nyrqEtq9cU0G7mxxs94SstOwG5oCJtaDoqhyaH5YR3HKaR4h/kvBw=
X-Received: by 2002:aca:e350:: with SMTP id a77mr9684247oih.82.1553460251111; Sun, 24 Mar 2019 13:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net> <1878722055.8877.1553241201213@appsuite.open-xchange.com> <CABcZeBPmpN-cEPK92QQW3bkvc41Cx5g7B_YuUXCJK3j1qF995Q@mail.gmail.com> <20190322.101434.307385973.sthaug@nethelp.no> <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk>
In-Reply-To: <32A78B0C-52B6-46E5-A46F-D63D21DEC52C@sky.uk>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sun, 24 Mar 2019 21:43:59 +0100
X-Gmail-Original-Message-ID: <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com>
Message-ID: <CAOdDvNqb2+4Az+g608QRjYt+ZdUt1L9GAc=MJM3-xd0ZNmeBEQ@mail.gmail.com>
To: "Winfield, Alister" <Alister.Winfield=40sky.uk@dmarc.ietf.org>
Cc: "sthaug@nethelp.no" <sthaug@nethelp.no>, Eric Rescorla <ekr@rtfm.com>, "dnsop@ietf.org" <dnsop@ietf.org>, "doh@ietf.org" <doh@ietf.org>, "huitema@huitema.net" <huitema@huitema.net>, "vittorio.bertola=40open-xchange.com@dmarc.ietf.org" <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, "wjhns1@hardakers.net" <wjhns1@hardakers.net>
Content-Type: multipart/alternative; boundary="00000000000070b8eb0584dd26ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ztCeE27ag7nHDg1eiz-OIUphI3o>
Subject: Re: [DNSOP] [Doh] [EXTERNAL] Re: New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 20:44:19 -0000

On Fri, Mar 22, 2019 at 11:15 AM Winfield, Alister <Alister.Winfield=
40sky.uk@dmarc.ietf.org>; wrote:

>
> Don't overplay the privacy provided by DoH it has no effect on the DNS
> provider


The major effect of the transport security on the privacy practices of the
provider is that it allows the client to authenticate the provider. Trust
in their privacy practices needs to be establish some other way (and the
best way we have right now is 'out of band' - hopefully that gets better) -
but with DoH you can be confident that you're having a private conversation
with the entity you've decided to trust. That's a pretty big distinction
from port 53. Without that assurance its reasonable to be concerned about
what names you lookup.

This of course applies to local and enterprise configs as well as the cloud
configs contemplated by most of this thread. An enterprise DoH server
expresses and enforces a policy - if an application needs to use that
policy it should be comforted in transport security providing confirmation
that it is doing so rather than reading in whatever might be showing up on
port 53.