IETF Logo Mail Archive

Re: [Doh] operational considerations

Martin J. Dürst <duerst@it.aoyama.ac.jp> Fri, 17 November 2017 07:15 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB83128C84 for <doh@ietfa.amsl.com>; Thu, 16 Nov 2017 23:15:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=itaoyama.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spO_a1sTF6xm for <doh@ietfa.amsl.com>; Thu, 16 Nov 2017 23:15:43 -0800 (PST)
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (mail-ty1jpn01on0099.outbound.protection.outlook.com [104.47.93.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2194E12741D for <doh@ietf.org>; Thu, 16 Nov 2017 23:15:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=itaoyama.onmicrosoft.com; s=selector1-it-aoyama-ac-jp; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kVyLQkHR7cB1AsocGGxbKCj3UZjtraqSFsnS9tY1UuM=; b=rzylj0eYyUOlytvNjs0Fu89oTbV+UwePyDcoflyASr2Snf7UabiKA0tHmSne1D8QkkG+23Kxgb+YDTi8K42DwX0bY/W0zY3bRPd3bhhl7FTmirx0L7jyVC7GGr+wFrgnGLNW6ftqux5ZGdcxnCjrlnQEJDLZh3U2xjqtZQST2xo=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=duerst@it.aoyama.ac.jp;
Received: from [100.70.12.254] (133.2.59.36) by KAWPR01MB0243.jpnprd01.prod.outlook.com (10.161.28.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.239.5; Fri, 17 Nov 2017 07:15:39 +0000
To: Eliot Lear <lear@cisco.com>, "doh@ietf.org" <doh@ietf.org>
References: <60b879b8-d107-ec79-b2f1-357e354702e4@cisco.com>
From: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
Message-ID: <22166e53-71e4-8787-08f4-7528559076d2@it.aoyama.ac.jp>
Date: Fri, 17 Nov 2017 16:15:35 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <60b879b8-d107-ec79-b2f1-357e354702e4@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [133.2.59.36]
X-ClientProxiedBy: OS2PR01CA0123.jpnprd01.prod.outlook.com (10.174.152.17) To KAWPR01MB0243.jpnprd01.prod.outlook.com (10.161.28.142)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4163882f-36c5-41f7-2687-08d52d8b0249
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199); SRVR:KAWPR01MB0243;
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0243; 3:U06HFs1WT1rAaHCnM3NgsqG1Lw6jAy5Pp7wajfkMLUv6jmbSqJDdO3c6NVTHBcpEgp3kKho0kIuZRNSHyA5NPG6t6LzhaaSnVk0jkcv/MPLGBVCo/3TsWLHv8lD+E7dRRl79gxf9+AjdLQCS4e1cIwrCb74Ao4umGoaVXyImidtQCTPneblRkTSFCep+syxKXsQaM9P4KfdcXhCETu1kh4STbSyc+0MqRhGcPlde2EzaxqrBHePhYv6qfcZMbmor; 25:O4novMOUVDp5fTZQU4AySi1L5tnGy9g6PaX78DwapgtDM38S+VNKWDT3QZCAW4yzZAKpiwNE9u6OnsF9tnjpUj28maBPHtnpfOgH1X185asjnxTmIAqPxef0o4BK1Zo9vNVx3toBSWEXuJci9xeYLCOUZdMy3QQbgLZJPizXreDE2O0/EiAf7N1A2Q5cQKK5YIB0AAFypZEOQn9ClY/jmBV9hiG9RoXyoIV9t7/hsfe0Vp2CtNNPmrXOQe3fw2Z6ynMn/rxJ0g9vufzeYHRwzRNGzSja27FFqPXfljiJFCNVP+oL2q+i1ZGucLjKcIkoqbL9prwX0vc1k166DZpxIA==; 31:mpJe0DjlFUvMU/e/LWnQhpZOCATIHXMw6kQzfAdS9QECXNHG5OkdewDLFj3Put/oLwsD8MUlcsaDYVQTy4Qs1TGAyi7TMpM8QjFfBkyqqK/V/3NfosO9TIVT72RPnT9jxnegPNRFdjAzm+VFaw1RHuETwgL/5Aq60V6jyvu1s7QyHZjRwWud7MshDCKm6SY1FnFueZZoGG1truLzVJbVLFbYpPlCcix1mftkpPn01JA=
X-MS-TrafficTypeDiagnostic: KAWPR01MB0243:
X-Microsoft-Antispam-PRVS: <KAWPR01MB024361B2ACC8EFFCB6062664CA2F0@KAWPR01MB0243.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(3231022)(6041248)(20161123555025)(20161123564025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:KAWPR01MB0243; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:KAWPR01MB0243;
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0243; 4:xCeqOO8/FNw+1HVFuGzMTKsU4wfvDrDQe/Kne11BdDpfZo5hf0+XP2c/ovpdJ/FNLm/Y4SgUTphv0WCV7MtxtAjg+xKTfARj2S/M51bApaGX4nka6S5brlJOXZiKHXMY+TqC1KVzOQzQrbb0Xgavsvi2qB9fDvoh2ONr57i9ew0yGXfky7XoHb6VTeXKfUny75MmbxUWONumixi+Zkrtf0OIRr0MSCindQhSeai2U91y8e8mMWqPTOdGF1JTEmQ8kQ7wi4Zyc5VehgJ1k9axnGUk65JuwfEXBKIMOAE/5H1DwA/SQ7/VYbGvaJZuvkc3
X-Forefront-PRVS: 049486C505
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(6049001)(39830400002)(376002)(346002)(189002)(199003)(24454002)(316002)(106356001)(49976008)(478600001)(67846002)(81166006)(23676003)(8676002)(101416001)(229853002)(33646002)(81156014)(83506002)(53546010)(50986999)(54356999)(31686004)(90366009)(305945005)(7736002)(74482002)(76176999)(68736007)(2501003)(110136005)(6246003)(5660300001)(16576012)(58126008)(786003)(25786009)(16526018)(2870700001)(3846002)(97736004)(189998001)(6116002)(50466002)(2950100002)(42882006)(8936002)(6666003)(6486002)(2906002)(65826007)(31696002)(47776003)(105586002)(64126003)(65806001)(53936002)(65956001)(86362001)(66066001)(78286006); DIR:OUT; SFP:1102; SCL:1; SRVR:KAWPR01MB0243; H:[100.70.12.254]; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (protection.outlook.com: it.aoyama.ac.jp does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;KAWPR01MB0243;23:ZEEhEnGXZQw6LLOJqIbcshCNveWpAe/AjOkKQaaPM5QwgWzHQa/gLHXBe1eOJ+vhHWjH2Gti0sxEAuV6cXp7EStpkM4HaAf1vn6Wfl63BB4TP7KeKklXolIciliPlsh79gGeuYqJILiMSWnaOngHLq17aTP043Kmu1t2P2IJV+ij9pV8vRLoCMN9fPBXHwu69/pm4dwA1YMD2BeMc4zxw5Wi52H36s1B+fIWAa6JVL8NVFDZDmZEIYGmH1/Bv6Y0tja0/5A+cfDecp4uj3+77FD+W13taM6Z64mAQUyyWsjSxfvbUXfrX8+MqKzjeMXbCGd97/zwaPrfi9DOc4XQbTiQ+fw/l6/o6A/q4xaxPkG8JzeFoOSlEc9YXK3vP7EwmjfCrHtoHVrfBrVoSi7SHEJLjzb+sD9MyXa6ct/cXldIAgY6SDCEjre7G4Txq28BFl9WuKqMkPnjd6BnF0OZ/q/B5bQlnz73PB/s+4inCMTz9J2ME4Qoly3xJ9yiDJnxC1EeQwoxiZ+W0daHZilttxPqzLpAOWlstTDqnAW/R/5N60yUlk017uITMPZ4w+YEFGd3WlBO62O5Bb9pfLbDGg4zR2L7PRfpKJttOixBmT8IQkfBhVUgNIp3VyVkmxGsc0NGDeutBK0jV4NjaoFNWvICZekrhMhPZy7Ec49/1x7x6UhaFiNmkdH1ofjduQZ+nKUUZKzo1Ysqh8mvHx2ZngqJKS0Vb9JgeoFRCiAjO+p+WxZJ4ztxsI4s5E3Q3LPIVr5INlPWg1T8Dn0KyL9owHVqEEk1U+Rv999ngVTxr0uSRzdGtBfIVGTAyFolJUed1zISK98QhiZkBbUTIXKLQUd6a/UQQjE8JmfP3RT7D0qYIrFaSYQx9NlWFeNguKWYg/Pmn0Kkc8P3WtAw9L5cia+gs8ISWXZKz6d2D1cufOn+naAAxG1VismdB6Bdo+1599b+g6KwPdNPWxEOaPbhwpD6nZsqthh+mZAviiDbnfbkYe3T4HKGBq54Fp4aw9cq/6E5yKg45QCAluy7VWfZOjRCc9U8OsIQuToSQe7Ks5yAlgqRSCt7yVixQKZqOOSsMkjFTdsydjJAZmK+Mh2jUSZpPAwKglwstcDKp0lL21Dl6Q1M0BtBuBAcWEF39bFbw3Bx9ibanMy9Jba1owNVoQQBBAbQoCIxW9I1vhB1SLDlAyFN8UF4jvhENRlKCQQMPZYsWFZ/rQivwo6HsQFQiCmPhtnAzdINHBU1xnTVNHAysHkDBj7UZm/w+MmBKNGJ7wsNvdyMu50jdfUkZ3i+Pp9HU4jLwvSBZfq1bz7Y2sGf23HEw7yWYw3b+be+gN1LIRxTDbC+vn0Yn35vRWaEMhKYu6K00AX0IRResU5F17fJqEARVBlJbNfusXMv+c6ZkSBNJS+s7UKHGng20vOAtHpC5AT0b86Fn1RZTuzZRgE=
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0243; 6:eJVeHBS/m4OXvD77i42p6hbej7CxUPEfw229rt9UZLHVk1OmsMWG+oiv4xFm9nTxH/PmwazAYEkI92oD+1PAXCFpU3p/TJPupSX7rfllnGfIW+jNSiZj1pqXQW33vS7TBXO0661O94MhhdVvqj4YPDKj6UI8OIPgqWco1ynCgwHR3l7775AE21EVsHenq9rw6wQfoICBNj7oIcTFGpPVP2z+F2Cjojv/0fDz8dm0UxG+LtKwp50pBHR1hxzl6ifCo+f9xb/FRTrUmDFhO+HHAnR16DpwCL/iRZnQxQfEKceIYTJ8kDP9Y8OXjxrIsyT5ZiSLo3M3+hXX6BdDNFgCOtS2SMHP2BwsBt47cpRYrb8=; 5:DGszc4EjF56z3C/kK3Yn9O2mzAPVl4+C4OT5wl7Cf6nw07BCfurMTtht16TF7uArnQaXZSoUh75an8p1WRFX7D6XunxH9N0Y6I+XyhRWn++U7vCEY8cn+6AcuVboyp7/sXT9q20ZNtgWcX70whzerZlb9n/kYBuQXpNbC0FZNVE=; 24:xgjGtFQbo2PLlB/MY348XV6qasXzhnKdbI+NAsQMZBrt6NrWw2+6b7YOTc3J68LAOh4bI46JYWWGy8o+JRj8aR0HVTdRo8vFtKWZ8MeP6Tg=; 7:Hbm+M3yEeOd/trG1OtUBmNSyClusHCB/JSpGZg/uywt6CQWhWY6g1D2XQauTjVW9Dkectz+zpO9HWPNf+IRXiCsy0dfWr5T11asJe+XdivDEjZKUg1Ocv4BBzEBAaYwBiikTPq3Fir0u0tkrWFhCsmfDtInBXbCgz5489t8kaKC2pO1EnexVV2mSg53Hx2k7+tFcYx3fMMFlDzhEGjVepShzpk5ox1+SpPcvhQImwt/99ZRCJB7UkGBDDYl8/7IB
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: it.aoyama.ac.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Nov 2017 07:15:39.5001 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4163882f-36c5-41f7-2687-08d52d8b0249
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: e02030e7-4d45-463e-a968-0290e738c18e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KAWPR01MB0243
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/DfNNcxlRHBxu4mlnJKizKdJG3M4>
Subject: Re: [Doh] operational considerations
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 07:15:45 -0000

Hello Eliot,

On 2017/11/16 17:31, Eliot Lear wrote:

>    * When used, split-horizon DNS provides different answers based on the
>      source of a query [RFC6950].  The common case of this is an
>      enterprise that does not expose the existence of internal services
>      to the outside world.

>                             If a DOH server residing on the Internet may,
>      therefore, provide an inconsistent answer than an internal resolver
>      would.

This sentence doesn't make sense for me. I suggest a rewrite.

Regards,   Martin.


>              To address the common case, a DOH client MAY contain some
>      configuration, such as a list of local domains that should use UDP-
>      or DPRIVE-based queries.
>    * Many deployments review DNS queries and responses on the wire to
>      detect for malware or other policy concerns.  Where such exposure is
>      required by policy, DOH the user may wish to not configure DOH.
>

v2.23.0 | Report a Bug | By Email