Re: [Doh] Mozilla's plans re: DoH

<N.Leymann@telekom.de> Thu, 28 March 2019 09:04 UTC

Return-Path: <N.Leymann@telekom.de>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C78E31200FB for <doh@ietfa.amsl.com>; Thu, 28 Mar 2019 02:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7SnFfhMC_dO for <doh@ietfa.amsl.com>; Thu, 28 Mar 2019 02:04:26 -0700 (PDT)
Received: from mailout41.telekom.de (mailout41.telekom.de [194.25.225.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B93D12011C for <doh@ietf.org>; Thu, 28 Mar 2019 02:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1553763866; x=1585299866; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Fi7fUAA80jAnskwdC42/bW0LAK615iRlyVptIPOpMNo=; b=ygKFD0ArpmyjEh69/DNp9Q0reX2vYRNGT0Qb0Kg4Njq7OJIVoQjw/PJs wi5cJEh2NuPybb30bA7mRccJhDqHFSx6bGd3IrRi5RziQ1uBpIwepRFAO TEvjOoe7w7CUm7DWOwS0tlpHqUcRoifbzHdLBO0hgP0UeCZQTYk7yM5q3 Z3b6NhE+PJ11PWwFCGieF11cEsVWYhEoQrSAJricQvSXgWj2YNgS9aHo/ 4k9KvMmaB2Pn3pc6eaaw9skCAGA7cwoUYUJXS0oVGQi9Fb3IlJkU85Q4y ZTU9c/po/UwKENdiSlDm8fPtK4e46KnLIO3A+uuhL+BSnrnpHmQSvrj+t Q==;
Received: from qdezc2.de.t-internal.com ([10.171.255.37]) by MAILOUT41.dmznet.de.t-internal.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 10:04:23 +0100
Received: from he105867.emea1.cds.t-internal.com ([10.169.119.44]) by qde0ps.de.t-internal.com with ESMTP/TLS/AES256-SHA; 28 Mar 2019 10:03:42 +0100
Received: from HE105702.EMEA1.cds.t-internal.com (10.169.119.23) by HE105867.emea1.cds.t-internal.com (10.169.119.44) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 10:03:41 +0100
Received: from HE104162.emea1.cds.t-internal.com (10.171.40.37) by HE105702.EMEA1.cds.t-internal.com (10.169.119.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 28 Mar 2019 10:03:41 +0100
Received: from GER01-FRA-obe.outbound.protection.outlook.de (51.4.80.22) by O365mail04.telekom.de (172.30.0.231) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 10:03:40 +0100
Received: from LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE (10.158.142.20) by LEJPR01MB0380.DEUPRD01.PROD.OUTLOOK.DE (10.158.142.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Thu, 28 Mar 2019 09:03:41 +0000
Received: from LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE ([fe80::2440:a932:99b5:4c2d]) by LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE ([fe80::2440:a932:99b5:4c2d%6]) with mapi id 15.20.1730.019; Thu, 28 Mar 2019 09:03:41 +0000
From: <N.Leymann@telekom.de>
To: <neil.cook@noware.co.uk>, <doh@ietf.org>
Thread-Topic: [Doh] Mozilla's plans re: DoH
Thread-Index: AQHU5LhCCdDO08my+0ygyUoIXX2xRKYgvFVA
Date: Thu, 28 Mar 2019 09:03:41 +0000
Message-ID: <LEJPR01MB0377830D1703F031E7C697B798590@LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE>
References: <CABcZeBOk5bM+3G2Jd3Lu33Z08gc=AeoZ8UFHzN6AYk4f_hjZ8Q@mail.gmail.com> <CABcZeBPUh6x=D+GfKg11+4bRouZdm1LcZvLm1jd4UUEJA832BQ@mail.gmail.com> <CEADD7D7-49B5-436F-A1E2-DF5C9AA57FA9@noware.co.uk>
In-Reply-To: <CEADD7D7-49B5-436F-A1E2-DF5C9AA57FA9@noware.co.uk>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=N.Leymann@telekom.de;
x-originating-ip: [164.19.4.235]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2dd89a54-47c1-49f4-321f-08d6b35c45fa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:LEJPR01MB0380;
x-ms-traffictypediagnostic: LEJPR01MB0380:
x-microsoft-antispam-prvs: <LEJPR01MB0380E15D5322211246DA4E1998590@LEJPR01MB0380.DEUPRD01.PROD.OUTLOOK.DE>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(366004)(376002)(346002)(39860400002)(189003)(199004)(7696005)(486006)(106356001)(74482002)(105586002)(72206003)(68736007)(11346002)(75402003)(8676002)(81166006)(110136005)(71200400001)(81156014)(476003)(5660300002)(71190400001)(66574012)(316002)(256004)(446003)(66066001)(26005)(55016002)(186003)(102836004)(86362001)(3846002)(53546011)(52396003)(14454004)(6116002)(53936002)(305945005)(33656002)(478600001)(8936002)(7736002)(2906002)(9686003)(76176011)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:LEJPR01MB0380; H:LEJPR01MB0377.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: telekom.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1sAhHfw3WfrpdGRYkPK04qyupXkgFGvYNvz+LxMIs/qCOL0IBHFTR1XZFCjD1GufrUT5E1+/BaPgC4eQA2hF+XlSfc8K48p/EB5MI0tze8xnMmTotAqM9ohiVvXblJJnZ0nRdBxUsNUamNAbI84xSvOUr/BUt235xWAjKf8wHlK2vXns5Wgmbefhv9VVYeXXYs47hQxiU+98yC87/j5pJVrJzIRoT3gNcygNYPOEPo0c+7NG5ha6B8496W4cM76bmFKsNCoTJhwrNXsDmjtMBPG+1xZkF5tL/lfmnlxPZ7umrrR384kNOz5686m3OmQ5TNHtfleP2A/kCTpMzBC+idsob2XHSsoIU9NkBk865vSJYBcZUOdfykymQU36AgO+4+sztZqeZvTj+NqSbyF2a/1j3lGRJYnC00nWet6hduQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2dd89a54-47c1-49f4-321f-08d6b35c45fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 09:03:41.1331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LEJPR01MB0380
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/3gig-HsgIbPoXLDWg8k56utffhQ>
Subject: Re: [Doh] Mozilla's plans re: DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 09:04:29 -0000

Hi,

-----Ursprüngliche Nachricht-----
Von: Doh <doh-bounces@ietf.org> Im Auftrag von Neil Cook
Gesendet: Mittwoch, 27. März 2019 17:15
An: DoH WG <doh@ietf.org>
Betreff: Re: [Doh] Mozilla's plans re: DoH



>> On 27 Mar 2019, at 09:24, Eric Rescorla <ekr@rtfm.com> wrote:
>> 
>>Now with the numbered lists correctly formatted:
>>
>> I’ve heard a number of questions about Mozilla’s plans around DoH. 
>> We’ve made a number of public statements, but it might be useful to 
>> try to put this all in one place.
>> 
>> In context, the problem we are attempting to solve here is attack on 
>> the user’s name resolution from an attacker with full or partial 
>> control of the network, as contemplated by Section 3 of BCP 72 as well 
>> as BCP 188. There’s ample evidence of monitoring/manipulation of user 
>> traffic via this vector [0][1][2]. Importantly, this includes cases 
>> where the entity which owns the network infrastructure monitors and/or 
>> modifies DNS requests and responses without the user’s consent.
>> 
>
> But Mozilla doesn’t know whether the modification is with or without the user’s consent. As the various drafts that have been presented this week attempt to 
> make clear, there are a large number of use cases where users actively want the modification of their DNS (parental control, enterprise networks, 
> malware/phishing detection, botnet C&C communication disruption etc.), indeed they may even be paying for such a service.
That is a very valid assumption. And if they pay for the service they also expect that the service will work and does not break if they install a new client (browser/app/...) on their end systems. In most of the cases they even do not know were a functionality is implemented and they do not change default settings (which is fine, because "default" usually means that nothing will break). From my experience a new default disabling an existing feature (malware/phishing protection, DNS64, Load Balancing, ...) will lead to problems.

Regards

Nic