IETF Logo Mail Archive

Re: [Doh] operational considerations

"Hewitt, Rory" <rhewitt@akamai.com> Mon, 20 November 2017 21:26 UTC

Return-Path: <rhewitt@akamai.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6ABA126FDC for <doh@ietfa.amsl.com>; Mon, 20 Nov 2017 13:26:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGFFb8rL9Ieo for <doh@ietfa.amsl.com>; Mon, 20 Nov 2017 13:26:53 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D4212711D for <doh@ietf.org>; Mon, 20 Nov 2017 13:26:52 -0800 (PST)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vAKLLcbp026935; Mon, 20 Nov 2017 21:26:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=wsw8gThAYpBHHFv27iQjzgaQOzkviKONqn4jOgC2El0=; b=jLYRJiRaCeXpQWyNQY0qLs4O+17F/xi3ZgIaNK5NDmMgOzeXAnWsg1tqBNgkMaRTdzfv hSoUHgUwPHQC5mkRBN4wBlmpX13WNzC4uzY3DBosHs6ojQWHo1mrpI+kTN6c93S99nJq 8zhWiZjJTRAPbjUHIvcJ9PthljpCujoTz+q5RYRD0DzDHK0U0vL9SRsc+1S/QOxL8hEF Ko4ZCCC/Ubw6TVWBm778WQOOzZ97eIA53RtHOPhY0ZwWYxFB+rqR9X06hQ6JG90PQVdL 40nfiV0JVm08TIDuhoRdCXQ8PdpCGtEbrg3oq0onzc2JfgH8beY2gcl8mZGdDzfg4YOb NQ==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050102.ppops.net-00190b01. with ESMTP id 2eaatfr7cu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 20 Nov 2017 21:26:50 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id vAKLQdIk007211; Mon, 20 Nov 2017 16:26:49 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint1.akamai.com with ESMTP id 2eah2xysyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 20 Nov 2017 16:26:42 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb4.msg.corp.akamai.com (172.27.123.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 20 Nov 2017 13:25:56 -0800
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 20 Nov 2017 16:25:56 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1263.000; Mon, 20 Nov 2017 16:25:55 -0500
From: "Hewitt, Rory" <rhewitt@akamai.com>
To: Patrick McManus <pmcmanus@mozilla.com>, Eliot Lear <lear@cisco.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] operational considerations
Thread-Index: AQHTXrV5T3VOxBXQTESW8iflmtLdi6MbR0aAgAHaY4CAAPQHgP//uDpg
Date: Mon, 20 Nov 2017 21:25:55 +0000
Message-ID: <2c94f0d7e86248ffa870b4852218bbe6@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <60b879b8-d107-ec79-b2f1-357e354702e4@cisco.com> <CAOdDvNpuNhZF+966qUY8Sq4cfdrC-j_vFYoE9LT_jMRnWozgaQ@mail.gmail.com> <e1292551-21b7-802c-aec0-81eb7988fb80@cisco.com> <CAOdDvNqxytTf_Vf1QeKzi1D8qBi5VdxgeuZcFnEjefxNuLbfXg@mail.gmail.com>
In-Reply-To: <CAOdDvNqxytTf_Vf1QeKzi1D8qBi5VdxgeuZcFnEjefxNuLbfXg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.116.210]
Content-Type: multipart/alternative; boundary="_000_2c94f0d7e86248ffa870b4852218bbe6usma1exdag1mb3msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-20_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1711200287
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-11-20_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1711200286
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/0nbx193074n01aQ5Ml8jl__jeDM>
Subject: Re: [Doh] operational considerations
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2017 21:26:56 -0000

A couple of additional tweaks (which you can, of course, ignore:

Different DNS servers may provide different results to the same query. It logically follows that which server the server which is consulted influences the end result. Split-horizon DNS [RFC6950] is a specific example of this approach where the answers are derived from the source of the query. A client that queries a resolver which uses this style of algorithm can expect to sometimes be returned different answers from the responses compared with responses given by resolvers which do not use them


Thanks,

Rory

Rory Hewitt
Senior Solutions Architect
Global Services & Support
Akamai Technologies
Tel: (408) 650-0035

From: Patrick McManus [mailto:pmcmanus@mozilla.com]
Sent: Monday, November 20, 2017 12:39 PM
To: Eliot Lear <lear@cisco.com>
Cc: doh@ietf.org; Patrick McManus <pmcmanus@mozilla.com>
Subject: Re: [Doh] operational considerations

I've taken the (imo) best bits from Eliot, Jim, and myself.. (I've tried to reject 'non-default', 'proximate', and 'policy' all as things that muddy the issue.) what do we think of this iteration?

Operational Considerations

Different DNS servers may provide different results to the same query. It logically follows that which server is consulted influences the end result. Split-horizon DNS [RFC6950] is a specific example of this approach where the answers are derived from the source of the query. A client that queries a resolver which uses this style of algorithm can expect to sometimes be returned different answers from the responses given by resolvers which do not use them

The HTTPS channel used by this specification establishes secure two party communication between the DNS API Client and the DNS API Server. Filtering or inspection systems that rely on unsecured transport of DNS will not function in a DNS over HTTPS environment.

On Mon, Nov 20, 2017 at 1:05 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:
Hi Patrick,

This is good text.  I think Jim has a point about "default resolver".
Also, further reduction is possible.  See below:


On 11/19/17 2:48 AM, Patrick McManus wrote:
> Hi Eliot - indeed this is fairly brief.. thank you. if we can keep it
> to this scope I'm ok - but if the section begins to grow organically
> we should really discuss moving to a different doc. I have a proposed
> minor rework of your text below which I believe to be more concise and
> a bit more illuminating on the root issues. Let me know what you think.
>
> Operational Considerations
>
> Different DNS servers may provide different results to the same query.
> It logically follows that which server is consulted influences the end
> result. Split-horizon DNS [RFC6950] is a specific example of this
> approach where the answers are derived from the (potentially natted)
> source of the query. A client that chooses to query a non-default
> resolver for a name that is using this style of algorithm may not
> obtain correct results.

s/chooses to query/queries/

s/non-default resolver/resolver that is not proximate/

How's that?
>
> The HTTPS channel used by this specification establishes secure two
> party communication between the DNS API Client and the DNS API Server.
> Filtering or inspection systems that rely on unsecured transport of
> DNS will not function in a DNS over HTTPS environment.
Eliot

v2.23.0 | Report a Bug | By Email