Re: [Doh] [EXTERNAL] Re: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

"Winfield, Alister" <> Wed, 27 March 2019 08:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24BDD120273 for <>; Wed, 27 Mar 2019 01:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xrW-Jy3N08gn for <>; Wed, 27 Mar 2019 01:24:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D6DE012026B for <>; Wed, 27 Mar 2019 01:24:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v8cwwSM0GjRpRRrOYSdV91phZjQ1lXscAJUMIwjzNw8=; b=PWR1zWn+nU2KjJGahsvGyi57ZSrFtbImwH3/iCeR4XZW5BYkpo5GqRTqIQ20f41O4ZHFXBv16CKum3ZNh8K9IXxvfgHj/cUE4xQhm9CvR8ZxGcAFoj/+yRDDr2s2yBhm5AY0w7khOuf/NP85R6RwHkLaaQiRVHYivthHuxxajxI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Wed, 27 Mar 2019 08:24:16 +0000
Received: from ([fe80::5cb7:e589:692e:7d93]) by ([fe80::5cb7:e589:692e:7d93%9]) with mapi id 15.20.1730.019; Wed, 27 Mar 2019 08:24:16 +0000
From: "Winfield, Alister" <>
To: Erik Nygren <>, Patrick McManus <>
CC: nusenu <>, DoH WG <>, tirumal reddy <>
Thread-Topic: [EXTERNAL] Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Thread-Index: AQHU40DcPma2NqMb50ShukyAax+Nt6Ydmo2AgAAbcwCAAM77AIAAsiWA
Date: Wed, 27 Mar 2019 08:24:15 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:67c:1232:144:bd2e:1f62:64fa:7da7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 30329652-fbc1-43ff-17c0-08d6b28d99d6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DB6PR0601MB2229;
x-ms-traffictypediagnostic: DB6PR0601MB2229:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0989A7979C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(366004)(39860400002)(396003)(136003)(199004)(189003)(478600001)(68736007)(81166006)(316002)(4326008)(71200400001)(229853002)(54906003)(7736002)(97736004)(486006)(6116002)(8676002)(81156014)(6486002)(82746002)(256004)(14444005)(74482002)(966005)(5024004)(6512007)(83716004)(46003)(106356001)(110136005)(54896002)(93886005)(86362001)(36756003)(53936002)(8936002)(186003)(11346002)(6246003)(33656002)(236005)(99286004)(6436002)(76176011)(102836004)(53546011)(6506007)(72206003)(71190400001)(2616005)(476003)(606006)(446003)(58126008)(25786009)(14454004)(5660300002)(2906002)(6306002)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2229;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: /vOd/HhKwN5UfE6IiQUCZlTccG/fgF3rfhNmg/11Q7OB60Wz6HqhRyOITR4rHxZhQLuzqvgvaDNXh41hmhkAOI/XN5+RH5LSRBUz1YW92vcS4hP+FkBVkm5Mxn1KGhmtfETHW58UFdwA5SqIhcM3IZJnArq9CCwhylBwxNZxuJW+78uSK+iNvEd+FscSOqTBbvqYVPek0sm9ikIowTlsmvG0aWU45UKBBzttNjy4g1dFpKl8muyetW3WpXvchQ5dtlJ0hER139CExPp0VDSqeylSBD9e1a0VSrEU9WHPH+IPhXGWa2e9zqkR0Vpit73lQszFZA18LiWguyD/vuewEmceGewR0gSyJRj3AFE5AZqL1nJlePmhVIMl6eugcLaTAaEkUhRb3FjIY7zhmCfZBxthdFNp767SztOr1PiSH94=
Content-Type: multipart/alternative; boundary="_000_05171615923948329150521F15058205skyuk_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 30329652-fbc1-43ff-17c0-08d6b28d99d6
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 08:24:15.8750 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2229
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Mar 2019 08:24:22 -0000

On Tue, Mar 26, 2019 at 6:26 AM Patrick McManus <<>> wrote:

right. The weakness here is that validating a name that probably comes from an unauthenticated source is not a very strong signal. That seems inherent in the draft, but maybe worth calling out more explicitly.

Right.  It typically comes from unauthenticated DHCP or RDNSS.

One thought I've pondered is whether there is a way to apply policy to the hostname in the DoH template URL, as that is an authenticated hostname.  For example, clients could validate against a blacklist of known-bad DoH server hostnames/domains.  This may not scale well enough to be viable.  But we are inherently getting unauthenticated data from an unauthenticated source.  But that unauthenticated data is something which is possible to authenticate and possibly authorize based on the hostname.

You could equally state that the user has to ‘approve’ all new DoH templates. Each has its own issues and in any reasonable scheme its likely you’d need both. One to capture users approval to use a particular DoH provider (including accepting their privacy policy t&c’s whatever). The other so that some form of policy protecting the user from malicious DoH can be applied. The issue is as ever managing such lists without creating the ‘click through’ problem on the choices side.  (read users never read stuff that pops up too often). Or issues with the curation of the blacklist and arguments on what is malicious and what is good for the user.

(Next is a very early thought so I may yet find a reason not to like it)

Another option that I’m liking more the longer I consider it is a notary mechanism. This is like your blacklist but has properties that avoid the who audits / polices the lists. So your notaries provide white and black lists for DoT/DoH even Do53. Anything outside the list SHOULD present something to the user with the policy information provided. Yes that could be lie but that’s not something we can fix.

Not saying I’ve thought this through completely but its feels scalable and doesn’t significantly impede new DoH providers. Users will self-police the notaries and that side can be as simple or complicated as they like including having multiple lists with different privacy properties.

A similar model is done in Provisioning Domains where unauthenticated PvDs come from the network and are used to construct well-known URLs:<>

How to make this practical is where I get stuck.  :-)


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD