Re: [Doh] WG Review: DNS Over HTTPS (doh)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 25 September 2017 23:16 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 368761345E5; Mon, 25 Sep 2017 16:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FugaduXimVR; Mon, 25 Sep 2017 16:16:31 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71B591344FF; Mon, 25 Sep 2017 16:16:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 2F4E4BE24; Tue, 26 Sep 2017 00:16:29 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbgHIESOjYcT; Tue, 26 Sep 2017 00:16:27 +0100 (IST)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4C570BDCC; Tue, 26 Sep 2017 00:16:27 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1506381387; bh=Zt+83i2vsGiwrnUixXew2TkeBBBleQrInjWQ86h+Bzg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=Ju6j0+0JoNXarTbBJrH9OxvKOBf8q5vhC7dg9zeggZJAwnFukXlrn6N5H3mO2oINW iXAilk1qFRrHoYEK7Jv8yfRLVZj3LjA331AsYi++4ZIjuFAgGYEUKLetCgzcwN6v8+ ItK4iYSgs4/SEdRKe140ykmD9WVEp4YzgBub9Bvw=
To: Adam Roach <adam@nostrum.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, doh@ietf.org, IETF <ietf@ietf.org>
References: <150549029332.2975.12341647131707994474.idtracker@ietfa.amsl.com> <CA+9kkMBJAP23GmGf_ix-DMeOMB=Rbas+qsBQhrVwZuA5-Cv7Mg@mail.gmail.com> <03b11478-6b75-8e52-e6d9-612885804aad@nostrum.com> <CA+9kkMA1z8XF7QNXdY_bGbHdUD8UOBS57VbbJn7xmt7rb8SOGw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <2861b0eb-2486-9ba2-0b48-48293d758f03@cs.tcd.ie>
Date: Tue, 26 Sep 2017 00:16:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CA+9kkMA1z8XF7QNXdY_bGbHdUD8UOBS57VbbJn7xmt7rb8SOGw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="qWcEgPpHh3713OLr4I1O1M6NBQLEgw7Mu"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/03kDmdNoYb9qNVuTTLSRaNsb4rM>
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 23:16:34 -0000
A nit, a question and a comment: On 26/09/17 00:03, Ted Hardie wrote: > Adam, > > Thanks for summarizing the discussion and its outcomes. Looking at the > revised charter, I noticed that it currently says "The use of HTTPS and its > existing PKI provides integrity and confidentiality, and it also allows the > transport to interoperate with common HTTPS infrastructure and policy." Nit: Not sure if it's worth nothing, but the integrity service here is different from DNSSEC, and clients need to be cognizant of that. Probably obvious though. > The choice not to specify a particular version means that there may be more > than one transport. You may wish to rephrase this or elide it to reflect > the decision taken on that point. This para: " While access to DNS-over-HTTPS servers from JavaScript running in a typical web browser is not the primary use case for this work, precluding the ability to do so would require additional preventative design. The Working Group will not engage in such preventative design. " ... strikes me as weird, given that it didn't say what is the "primary" use-case. I think that needs fixing or may cause confusion later. The question is: did I miss where you said what was the primary use-case? The comment: I find this version no better than the last in terms of saying that the WG needs to consider the scope within which DNS answers are used. And that was my major issue with the last iteration, so overall, this version doesn't seem that much better to me. My suggestion is to add text along these lines: "The WG will analyse the security and privacy issues that could arise from accessing DNS in this manner. For example it'd clearly be bad if JavaScript from random web sites could poison the OS's DNS cache (though hopefully no implementation would allow that). The manner in which that analysis is documented will be decided by the WG." Cheers, S. > > regards, > > Ted > > > > On Mon, Sep 25, 2017 at 3:56 PM, Adam Roach <adam@nostrum.com> wrote: > >> Thanks to everyone who commented on the proposed charter for >> DNS-over-HTTPS. I have noted four main categories of discussion: >> >> >> 1. Whether to rule specific versions of HTTP in or out of scope of the >> charter. While the consensus here was rough, there were more proponents of >> leaving the version out than baking it in. I further observe that leaving >> version out of the charter does not preclude the WG from reaching consensus >> that requires or precludes certain versions from being used. >> >> 2. Discovery of DNS-over-HTTPS servers. Again, consensus was rough, >> but I find slightly more people in favor of allowing discovery than those >> opposed to its inclusion. I will be adding language to the charter proposal >> that allows such work if those parties interested in specifying such >> mechanisms show up in the working group. If no such critical mass shows up, >> the WG will be allowed to close without performing such specification. >> >> 3. Scope of work: whether DNS-over-HTTPS servers are accessed normal >> stub resolver libraries or via JavaScript. The proposed charter now >> contains text clarifying that the JavaScript use case is not the primary >> motivation, but that the WG will not take steps to preclude it. >> >> 4. Regarding the question of whether to perform the work at all (or >> whether to perform the work now): the analysis for starting a working group >> generally hinges on whether a viable group of willing and capable >> participants exists to complete such work, without regard to those who wish >> the work not to take place. While exceptions to this generality may >> certainly exist, I find no reason the proposed working group is special in >> this dimension. >> >> The revised version of the proposed charter can now be found at: >> >> https://datatracker.ietf.org/doc/charter-ietf-doh/ >> >> /a >> >> _______________________________________________ >> Doh mailing list >> Doh@ietf.org >> https://www.ietf.org/mailman/listinfo/doh >> >> >
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Cullen Jennings
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- [Doh] WG Review: DNS Over HTTPS (doh) The IESG
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Spencer Dawkins at IETF
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Tim Wicinski
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ask Bjørn Hansen
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ask Bjørn Hansen
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Magnus Westerlund
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Tony Finch
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Warren Kumari
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Warren Kumari
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Martin Thomson
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Martin Thomson
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus