Re: [Doh] DOH and split DNS

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 06 November 2017 12:00 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67E5813FBE9 for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 04:00:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=l78FZFDb; dkim=pass (1024-bit key) header.d=yitter.info header.b=NY48VnGQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DdFZnIMEnsk for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 04:00:55 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C3613FBE8 for <doh@ietf.org>; Mon, 6 Nov 2017 04:00:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 9C3E9BF56B for <doh@ietf.org>; Mon, 6 Nov 2017 12:00:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1509969624; bh=cjfvRlTHQUBlui2MuD/YOYWwM2BpjQyBkKAd1GPBfDU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=l78FZFDbQLx7vBUNIkPtlcg7iajQE9fgNgnK02kks4Dfx5YGJxGINIUx4HhsUhAZ1 0hGANqXIx+xD1UxLTjMrPtvO+T7eLB6tJAiWTsSreBOJ8//YCEK5K26yqapjnrgYRo IBYaaoUof7dqQcJ5/wToUCeiMG3b6vgDBmLaTVic=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCCzog7lYDfx for <doh@ietf.org>; Mon, 6 Nov 2017 12:00:14 +0000 (UTC)
Date: Mon, 6 Nov 2017 07:00:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1509969614; bh=cjfvRlTHQUBlui2MuD/YOYWwM2BpjQyBkKAd1GPBfDU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=NY48VnGQ7X4OW6amw2dmRzU3ydGhmN94HAKTBkDaFkYTp3EQqf6H8HnTDdqQLYKZu XnaBDZblVxQUwndVCVi4mm/t48qunurWQdFHfzag7Ur/Uxw1fgiTE4MzdzhK8sa11k lQp0RcFuKtsF6FCsdtGfYmZvvFzUgpNt+T4NNQDQ=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: doh@ietf.org
Message-ID: <20171106120014.ybhkqptllbx75vsg@mx4.yitter.info>
References: <C7B43C35-55DE-41FE-BE66-5D7BBDB6FC9A@vpnc.org> <644FB18C-3B6A-4DF2-88C9-31A0C870055D@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <644FB18C-3B6A-4DF2-88C9-31A0C870055D@mnot.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/-4frFkm3t-7kSFKN4_3sPrCaVe8>
Subject: Re: [Doh] DOH and split DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 12:00:56 -0000

On Mon, Nov 06, 2017 at 11:13:19AM +1100, Mark Nottingham wrote:
> 
>  Some careful wording around the configuration mechanism should help.
> 
> Allowing something like proxy.pac to override DOH doesn't make any sense, given that the primary purpose of DOH is to NOT allow the local network to impose policy on communication with the DNS server.
> 

That careful wording had better be pretty careful.  I don't believe
for an instant that most users have a workable theory for which
resolution mechanism they're using, and if they configure DOH and
suddenly all the "internal sites" don't work they're going to be
pretty surprised.

It strikes me as pretty strange, too, to suggest that, if a user
configures proxy.pac, they don't want the local network to offer such
policies.  If the user is prepared to use the proxy, presumably the
user is prepared to use it to impose local policy, no?

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com