Re: [Doh] [EXTERNAL] Re: DoH

<andrew.campling@bt.com> Fri, 29 March 2019 10:58 UTC

Return-Path: <andrew.campling@bt.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF1B12027D for <doh@ietfa.amsl.com>; Fri, 29 Mar 2019 03:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w9W7orLcQ-qj for <doh@ietfa.amsl.com>; Fri, 29 Mar 2019 03:58:06 -0700 (PDT)
Received: from smtpe1.intersmtp.com (smtpe1.intersmtp.com [62.239.224.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82A8412025F for <doh@ietf.org>; Fri, 29 Mar 2019 03:58:05 -0700 (PDT)
Received: from tpw09926dag11e.domain1.systemhost.net (10.9.212.11) by RDW083A010ED66.bt.com (10.187.98.36) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 29 Mar 2019 10:57:28 +0000
Received: from tpw09926dag11h.domain1.systemhost.net (10.9.212.35) by tpw09926dag11e.domain1.systemhost.net (10.9.212.11) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 29 Mar 2019 10:58:02 +0000
Received: from tpw09926dag11h.domain1.systemhost.net ([fe80::31b2:6108:6eda:82cd]) by tpw09926dag11h.domain1.systemhost.net ([fe80::31b2:6108:6eda:82cd%12]) with mapi id 15.00.1395.000; Fri, 29 Mar 2019 10:58:02 +0000
From: <andrew.campling@bt.com>
To: <Alister.Winfield@sky.uk>, <adam@nostrum.com>, <john@johncarr.eu>, <mcmanus@ducksong.com>
CC: <paul.hoffman@icann.org>, <doh@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Doh] DoH
Thread-Index: AQHU5Yj5ws0QKXF/kE2CC/ccxm7ktqYhTCtAgAAMBQCAADqbgIAA2wYA
Date: Fri, 29 Mar 2019 10:58:01 +0000
Message-ID: <6bebaadff9b54dc1a906c237a756d476@tpw09926dag11h.domain1.systemhost.net>
References: <DB7PR03MB4698C510EC609C85725FC158C6590@DB7PR03MB4698.eurprd03.prod.outlook.com> <CAOdDvNpJqaemDTHcUtTQ7Xc1cq5OOFU91qq_h97j6Uv1RTHD7A@mail.gmail.com> <DB7PR03MB4698A645255E883C9CC07AC3C6590@DB7PR03MB4698.eurprd03.prod.outlook.com> <73a0935d-f80b-0e8d-eb89-cb35a473122c@nostrum.com> <826904ddc23941d5be4d8872c4f2737a@tpw09926dag11h.domain1.systemhost.net> <2af82a6d-6887-ae36-4527-47e476829345@nostrum.com> <9E29A232-BA75-478D-96BF-5D6164142BDD@sky.uk>
In-Reply-To: <9E29A232-BA75-478D-96BF-5D6164142BDD@sky.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.216.161.27]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/EfhPzGpMHQzy5fpFSHu2WEcPt2U>
Subject: Re: [Doh] [EXTERNAL] Re: DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 10:58:09 -0000

On Mar 28, 2019, at 22:40, Winfield, Alister <Alister.Winfield=40sky.uk@dmarc.ietf.org> wrote:

> Top posting on purpose ….

> I’ve tried to respond twice to this and I think third time I might get closer to my thinking…

> The DoH solution (note not necessarily protocol) is missing at least two key elements which together would have reduced the 
> immediate panic in the implementation. Not to say there aren’t other things that need work just the really problematic issues 
> could be contained or deferred.

> The current active work on discovery and somehow defining a trust and privacy mechanism surrounding TRR’s. 

> With trusted lists of TRR’s you’d then be able to use the output of a fundamentally insecure discovery method. If that 
> ‘trust and privacy’ were to be selectable say by choice of provider. You get the option to allow the local network policy / or 
> not. You can chose to allow trusted coffee shops but others may be not in your list because they do things that ‘you’ don’t 
> like. Parents can chose to trust only those DNS providers that give strong parental controls. Whatever group you are in 
> many things would be less controversial. Oh, it’s not easy but at least we wouldn’t be in the current position where it is 
> almost certain that a sudden change will occur to a keystone of the Internet. 

> Worst case example is that given the billions of queries per second we are talking about here and the localisation of 
> content delivery it impacts, many terrabytes per second of traffic could / would rapidly migrate to less-optimal CDN’s. The 
> distribution of this might well break networks, sadly there is no research that can reliably work out the full impact. Small 
> trials really don’t help because we already handle small percentages of non-local DNS use. It’s the unknown of what 
> happens if 80% of the users in a single software update change to a non-local DNS provider (especially if it’s one that 
> doesn’t forward granular enough EDNS client-subnet data because ‘privacy’).

> I admit that last paragraph may be FUD, but in this case the risk to the stability of the Internet is potentially at stake so 
> largest possible ‘we’ owe everyone a little time exposing the potential issues in detail with any mitigations if they exist. 
> Preparing those who will be impacted for change and then somehow containing the initial  change so if it really does cause 
> hard to contain issues we have a small enough problem its solvable in reasonable timeframes. Anyone who has done 
> operations will tell you that big changes that happen fast are the nightmare you fight hardest to avoid. 

> One more thing I’ll repeat others warning.. beware unintended consequences this must not end in a fight between 
> networks, or governments and DoH providers. If this goes wrong and corporates and other players decide this is a step 
> too far because of the impacts we all know the outcome could be very messy and I for one would rather work to get a 
> less painful and most likely less privacy impactful result. 

> NB: Don’t bite I do like the protocol and I agree that there are some that need it to exist. 


I agree with the thrust of your argument, think that those that seek to distinguish between the protocol and its impact in  
real-world implementation scenarios are mistaken.  The current design is incomplete and lacking in functionality and 
needs more engineering effort in order to address the shortcomings identified here and elsewhere.  Without further work, 
DoH will simply serve to undermine privacy and security, as well as leaving application developers and resolvers that use it 
in a position where they may be non-compliant with legislation in numerous countries  - and so open to legal redress.   

I hope that the IETF recognises that these are legitimate challenges that need to be dealt with so that DoH can deliver 
it's intended benefits.  


Andrew