Re: [Doh] [EXTERNAL] Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

"Winfield, Alister" <Alister.Winfield@sky.uk> Tue, 12 March 2019 13:12 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D0C130F70; Tue, 12 Mar 2019 06:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQIxtFbcSmz3; Tue, 12 Mar 2019 06:11:53 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140055.outbound.protection.outlook.com [40.107.14.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE31A130F35; Tue, 12 Mar 2019 06:11:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uHbKhlgD5omKeRvHRn8qlEDTwUphYf+VQst64ZsnpZQ=; b=a0UgMB+vx7HjEBzL8sdPHXJkTY0HLt23k/DjCnh3Kh0kNurf65vJiR0M/FALb97Lnm3DTZwkEiNmlUS3ekIecqAiYwKKxcLH/BbYJws5/XTLahbKPxFg347tBiOjy4c2dJh91Xa85ccz84AH/lVH+q5hJsSjlIas4N4RcI4WdV0=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2550.eurprd06.prod.outlook.com (10.168.85.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.20; Tue, 12 Mar 2019 13:11:48 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8c80:1afb:fea:cc15]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8c80:1afb:fea:cc15%8]) with mapi id 15.20.1686.021; Tue, 12 Mar 2019 13:11:48 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Eliot Lear <lear@cisco.com>, Paul Vixie <paul@redbarn.org>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "doh@ietf.org" <doh@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Christian Huitema <huitema@huitema.net>, nalini elkins <nalini.elkins@e-dco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, "Ackermann, Michael" <mackermann@bcbsm.com>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] [Doh] [DNSOP] New: draft-bertola-bcp-doh-clients
Thread-Index: AQHU2Gr4XDJqk3hV/02W+IJ09qeodKYHeO4AgACAQYA=
Date: Tue, 12 Mar 2019 13:11:48 +0000
Message-ID: <2D9C1616-EF47-4685-8155-99A718806EE9@sky.uk>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net> <69f989ba-0939-b917-b586-9e3af3fb8b74@redbarn.org> <CAPsNn2XNCzgAdfJtxBVboAe+d6sbCiV2fZv9185wm+HN+3zRdg@mail.gmail.com> <BYAPR16MB279065EE519680E7FC9A637CEA480@BYAPR16MB2790.namprd16.prod.outlook.com> <CAPsNn2Up1AtJJCdmu_9NC4jfzc-8dtE+QjUzRxMBUwaN44gvOg@mail.gmail.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <36C6BE4B-5919-4658-9AF1-AB1572E5999C@cisco.com> <BYAPR16MB27900AFE0CCF4E7CF6A35F6CEA490@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27900AFE0CCF4E7CF6A35F6CEA490@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [2a02:c7d:e20a:2d00:9d9d:fd66:5606:8247]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 78c08c9b-8142-4240-5f60-08d6a6ec48bf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DB6PR0601MB2550;
x-ms-traffictypediagnostic: DB6PR0601MB2550:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtEQjZQUjA2MDFNQjI1NTA7MjM6YXhqR0NqWWdWZzUxYVNzMXRzRmtQSEVM?= =?utf-8?B?N0xkUWZjK2xEZDBtVlZBbkFwUVdjdGh6UDk5bndsdjJMKytlMHNWVVJ2SEpP?= =?utf-8?B?VlVLdURsU3pQL0tvbDFGejBrZzdtVGVaZjcwTnVENnRtL2lwUUJXMzkvaTU1?= =?utf-8?B?eFJCU3JxS1N6QlFLMEs5M0hxMklSMktZZGlYL0c5TVprc1p1TzVhT1NNQ3h4?= =?utf-8?B?MUF1K3ExbVpxS1IrMkNHdVJhUzBYenNiYlhsRnRpVXdndENBOThkc2czZk5Q?= =?utf-8?B?cTBHblA3OC9VWGlBMWNVOXFYWU96d1QrV1l3NkZ6dW9DUnhueUdOa2FWYkVN?= =?utf-8?B?WDlKcVRIWTExTEIycm5CUGF5ZnpIMSszSHVGSXVhRzVMZ1Y5THFtZnhWV3ln?= =?utf-8?B?VnE5YklDNHFNeU5UaWtTN1NXeTVXc055Y1JYUHhaQXcwTElxMkxhZDdqUFkw?= =?utf-8?B?eERkejdCVk10MFBtVE1VcEw3WENDbmNvbi9YVHRyMng3KzBGb0Y4WGdFM2cv?= =?utf-8?B?U2dlU0hLVlJTQ0hoZll2MlNDcWJNalRVVHZPeDgxdmNJQVhlVUwweWVGMHlQ?= =?utf-8?B?NksrWnA5Z2wySE5TNWtyR3VOWUoxTEMyYjE1YUliSmZPYldtOEhmR0pCVnli?= =?utf-8?B?ZDRKblZCZWpiZ1cwb2gvbng4RWVEL0RZRXorNDBuTjFwaFY2ZE9wV3JRZ0JN?= =?utf-8?B?bjJOSEJ3UWNZOFVhSmFIblE3cTlzMmFySkRKMm4rNUdhU3daY1dFd2JZTXhR?= =?utf-8?B?OGt0K1ZvUk1LVGw2cXZ6MVdMMEk2eTFhRWUyWjVOc0Q5WXc2TUtzTnBjYlVM?= =?utf-8?B?cHpvNFE2RWRydUUrRnlPVWplY25oVjlsTTA5VFc3ZGZRdzNYaGJVYmVQYkta?= =?utf-8?B?SnpEakVSVmJUNm1lNlVFSmQzLzZuNU03b1ZJYkw0OU1Ma21mamx5N0lXV2s2?= =?utf-8?B?MGJ5L1VzSlhnQkJGek1KY2Z0b0w3R0lXRWNIV2ZQTk0xUm1EN1FyUnkxaEE2?= =?utf-8?B?d1JmYVNaWlBCM2k0NjJ5b0pucEthVUxYY3NjdWZJUU42NTZrQXBHeEZKRlB4?= =?utf-8?B?TFNDZzRGbmNkaWpvenI0ajlGZFpuQjJmWG1hM0IreVhxQmhQU0NZZUlDYlpB?= =?utf-8?B?a0ZMeFZ1UHVCa2RBZ2R0azU1QlN2V0NHbTEySVpmNStNMSszbGRNckJtQ05R?= =?utf-8?B?WTV2TmY3OWRQMUloa1hBOGo3OFRpRU5DamNnQWVlbmtqbVU0UnE1RzZyUlZC?= =?utf-8?B?QXdJeXhUNmg3TjQyZmpQdS9nKzhsWVNPU1VMSE5aQlEvVElBWUdVSFhqOW50?= =?utf-8?B?REh4NXJRZEROaTJSZFZEZmRyMWg3T0hDM0w3cDZXaXhlRGhneUZGRzJSSE9q?= =?utf-8?B?RjV6OVFQS09vMW9kclIxQi9zRUlwc1FqZmNHRFNSUUF0N251ZVV4d1BRRWxn?= =?utf-8?B?c1JYMlozL0x1aGlUdTZ5ODFPSlhoRXZ6T3FCd3JFbmZFNFNleExwMFNrMXZ5?= =?utf-8?B?cVJJVHVOUWF4aGNGeFdQN1AyL2tLN0hieUdMSllIUGFWTHF6c01FRFhrTW95?= =?utf-8?B?aTJ2am5NR0ZYbEc4SlJqQ2VFcHFBTkR4MUZ2QXJucG0zOGY0NXNZUmpBMGNS?= =?utf-8?B?eWgxWmtOeVhrQVdDR0tZUXo1d0hFNVVidEMrc0JiYmd0N2FqeVNsL2FjZDVw?= =?utf-8?B?WG50V2x3RzA2UDY2L1JUSUovTEFhcWozUElUS2xLY1pUVHZHMVMzWEVaVll4?= =?utf-8?B?cmNPMWo4Tnd2b1dWUDQ4MmkyMktPS0xhdlhjeDJsR1hhS0xJMWFpcUZtVE9C?= =?utf-8?B?VjFBcGgzUE9YTnVRMHR2QVhlamRZMXNHaWVlcTYzZTgvNm9mWnN3dmRSd2xq?= =?utf-8?B?amdqYWdaKzNvbExPTGdGSUJwa3d2ZHZhTUlVZXR6N05oQjBGU01ET2UzM1Bo?= =?utf-8?B?RDhHaml3ZGdFYmlSNzVWMjRNNDJ6RG1vcWlJUXk5LzNNQzdMRFhGYzZvcnFH?= =?utf-8?B?MUlGUEV5Wjh0UCtwcVQ1ZjFxdnVTMzVYM1hCRWpnPT0=?=
x-microsoft-antispam-prvs: <DB6PR0601MB25507EA7CB4EE9B1F6885EA2E3490@DB6PR0601MB2550.eurprd06.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(366004)(39860400002)(136003)(346002)(13464003)(199004)(54094003)(189003)(53936002)(229853002)(7736002)(99286004)(66574012)(5660300002)(54906003)(4326008)(6506007)(53546011)(58126008)(102836004)(186003)(74482002)(14454004)(110136005)(478600001)(76176011)(71200400001)(82746002)(305945005)(316002)(36756003)(2616005)(25786009)(71190400001)(966005)(97736004)(486006)(6486002)(6246003)(8676002)(81166006)(7416002)(81156014)(93886005)(46003)(476003)(11346002)(8936002)(45080400002)(6116002)(83716004)(446003)(105586002)(86362001)(2906002)(5024004)(6306002)(14444005)(256004)(6512007)(33656002)(68736007)(6436002)(72206003)(106356001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2550; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: XZGQ4r3aOH5fLjGuP+Lp3ddIXl60r1cruLME8FpBMhmZa2sSVDF3sNgv801KiDfU/alIMuv1u0WoidbzBM3zEbgWOBEAHhZxYp0bOkYb3WDBcSqL36X/KDG6+seuv1jfm7ucF31kKWGHwPGsrkGGPMNkO0Al7/EbEcdxW3iEt0w1ri0WG55kmfJpeeYx8XxchYUTnIgc7QVXipopWnfFrkyy7AVaqj7tjjY907Znr6JG3CrqTrtYSpsIZp2n3+V0AVJdzjsJuxvWZHtDU+ZAItYdvDRrDEbRVLDOaWMyvn4uBA4Pq/DRjiujojQa2ryEdfU04+s/+JwXwUp73RSPh2ynT/qVmnCpN1R13tPNHoSwUu+6k0NG5sTFyrmL1+hK5EenaAgV7lIUOxaUP0zIHzkCb7nMQTUbLm9W5Q4yUYg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <13AF2DE4613F744EBF532D857D1172A8@eurprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 78c08c9b-8142-4240-5f60-08d6a6ec48bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 13:11:48.1467 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2550
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/F4Len96N6DcVOm0wlEaB-fCvif8>
X-Mailman-Approved-At: Tue, 12 Mar 2019 11:36:43 -0700
Subject: Re: [Doh] [EXTERNAL] Re: [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 13:12:02 -0000

MDM is also a red-herring given >90% of devices world-wide aren't managed so anyone talking of MDM riding to the rescue of DoH client configuration is walking around with blinkers on. Even inside company networks there are servers not under MDM; locally developed applications that might in future pull in a DoH resolver; BYOD; visitors; malware and so on. So whatever you think a reasonable solution for client configuration has to start with unmanaged clients. That last one malware is why the corporate response may well be 'MITM' the traffic so we can protect the data, people and systems using our network.

What DoH discovery and presentation looks like is complex issue that will take some discussion. Just one small example, I might want to use the local networks DNS if and only if it provides anti-malware protection and has a reasonable privacy policy but use a static one if not. Or perhaps on a child's device it's okay if there is filtering in place suitable for children.

Alister

On 12/03/2019, 05:43, "dns-privacy on behalf of Konda, Tirumaleswar Reddy" <dns-privacy-bounces@ietf.org on behalf of TirumaleswarReddy_Konda@McAfee.com> wrote:

    > -----Original Message-----
    > From: Eliot Lear <lear@cisco.com>
    > Sent: Monday, March 11, 2019 11:49 PM
    > To: Paul Vixie <paul@redbarn.org>
    > Cc: nalini elkins <nalini.elkins@e-dco.com>om>; Konda, Tirumaleswar Reddy
    > <TirumaleswarReddy_Konda@McAfee.com>om>; doh@ietf.org; dnsop@ietf.org;
    > Ackermann, Michael <mackermann@bcbsm.com>om>; Christian Huitema
    > <huitema@huitema.net>et>; dns-privacy@ietf.org; Vittorio Bertola
    > <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>rg>; Stephen Farrell
    > <stephen.farrell@cs.tcd.ie>
    > Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
    >
    > Hi Paul,
    >
    > > On 11 Mar 2019, at 19:12, Paul Vixie <paul@redbarn.org> wrote:
    > >
    > >
    > >
    > > nalini elkins wrote on 2019-03-11 10:26:
    > >> Tiru,
    > >> Thanks for your comments.
    > >> > Enterprise networks are already able to block DoH services,
    > > i wonder if everyone here knows that TLS 1.3 and encrypted headers is
    > going to push a SOCKS agenda onto enterprises that had not previously
    > needed one, and that simply blocking every external endpoint known or
    > tested to support DoH will be the cheaper alternative, even if that makes
    > millions of other endpoints at google, cloudflare, cisco, and ibm unreachable
    > as a side effect?
    >
    > That or it will require a bit more management at the MDM level.  I’m hoping
    > the latter.  And I hope that one output of all of these documents will be a
    > recommendation regarding MDM interfaces.

    I don't think MDM is required to use the DoT/DoH servers provided by the local network.

    -Tiru

    >
    > Eliot
    _______________________________________________
    dns-privacy mailing list
    dns-privacy@ietf.org
    https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdns-privacy&amp;data=02%7C01%7Calister.winfield%40sky.uk%7Cab5faa933f374ae7b72c08d6a6ada348%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636879662059337184&amp;sdata=bba3bapIO3ffilylhoIj0x3zVkHYlNC4Gid96Ybx9Xo%3D&amp;reserved=0
    --------------------------------------------------------------------
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you
    --------------------------------------------------------------------



Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD