Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

nalini elkins <> Tue, 12 March 2019 01:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A2E712D826 for <>; Mon, 11 Mar 2019 18:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H1iP-fPaYGIm for <>; Mon, 11 Mar 2019 18:54:41 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 498C912D550 for <>; Mon, 11 Mar 2019 18:54:41 -0700 (PDT)
Received: by with SMTP id a17so850937ljd.4 for <>; Mon, 11 Mar 2019 18:54:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Yu9wpMac0qPy1t2fHsCOu1V6EC+oYiTi6mZWH3usOlo=; b=1sHRCyu7zlw4/V2tR7FsBzFoUhObKXi0mIYmJCr4r35tOfcCwOvKQqf1ypn4nbI8IB WWZY2zZ7EINgyLj5Z9SLMmRJL1VhNSL/Bb75VnFJ01XHQao3kTQ1jO31q+7AMQoNsJhi bF9fZImOCi8KlOmGMRyCyr3bshWo4ndqHAchUaDYNTEmFNEAY/h2HWwxisHR1DRxC/tw WpQ//hTjBvgBVxHHXiioL55HBMUxu3k49dqm3Ohpc1eadaNmlcbKhEspmUwcPGXFknzu 8XOy7G3oWDozdHGLDmA0OFtvkYR/Kr/dcE+46tjs/mTFHrfsq3AF6TsuEkCFkPl5liS0 HPpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yu9wpMac0qPy1t2fHsCOu1V6EC+oYiTi6mZWH3usOlo=; b=P4OqBLgTjInN5/ofL1cm9iA3SiPSPZaTAkA5uOUzJmM7lT/QOl854jnXtJgPMHoggR y2hVasbK1ZCWdXUmgeuizEqRkF9sq7wkqCGTkYW7jy6oT7FtBRkyDvd0+dVn9RICnfCg 4VmvW1SQgiuxsq2ReBNXRWW/s8UUQLNFBDVsqG/mOJ0/qwYdokYW3sVSZdHfZL6AzDsS jUyC9IkDGLYf4m63EtlhRhJqEzoM2kOFDef286COCGzUaHRzSnV77Lk/KGSetK1B6JGr 1GgOgpCdEaDzA833PyYwDdyIrmXDIvNbi2qLeAiJFGSIzehnhc3vzvtk3aPJmBnhuAA7 eZ4Q==
X-Gm-Message-State: APjAAAV++1JQ4eQFWhGSe1utIvyPvj4sOOwUGYWMFTtEKmJXBQ65xFZG 69cdrQvD0jSGHc27hvWy3BEtSAlbsDa0UvGkf2Y1sQ==
X-Google-Smtp-Source: APXvYqzLQS/P1I/0IA1NDx7r4WqCZafy5vmwdJnCsNTpOH6vwtRVF6snT5AeaIyMKL7onjngu9r4BYGN7hiFpJMbuA4=
X-Received: by 2002:a2e:87cf:: with SMTP id v15mr818835ljj.22.1552355679295; Mon, 11 Mar 2019 18:54:39 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: nalini elkins <>
Date: Tue, 12 Mar 2019 07:24:29 +0530
Message-ID: <>
To: Stephen Farrell <>
Cc: Paul Vixie <>, "" <>, "Konda, Tirumaleswar Reddy" <>, "" <>, "Ackermann, Michael" <>, Christian Huitema <>, "" <>, Vittorio Bertola <>
Content-Type: multipart/alternative; boundary="000000000000d470610583dbf824"
Archived-At: <>
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2019 01:54:44 -0000


> TLS1.3 will, I expect, noticeably improve security for an awful lot of
enterprises in time.

I am sure you are right.   There is also likely to be quite a bit of pain
ahead for many.  Also,
this is exactly why I propose a neutral observer who might tease out the
nuances.   Or
say something along the lines of "if you do x, you will need to do y".  It
may also be
needed to have subtopics.   And, the pro and con sides could also provide a
The write up could also propose transition strategies.

I am trying to make it so that people, including enterprises, can better
decide the merits of the
situation for themselves.

Many people do not have the time, expertise or energy to follow these
discussions which
have gone on for a number of years.  I have also seen assessments of
protocol changes from people
who have "a dog in the hunt" so to speak.  That is, vendors who provide an
assessment which
(shockingly enough) results in their own products (which again shockingly,
cost money) being the best
solution.  There is much hyperbole on all sides of not just the TLS1.3
issue but DoH also.

I compliment the authors of the current drafts on DoH deployment drafts for
good efforts to bring
light to this subject.

Having said that, I would like to see IETF work with a neutral third party,
maybe an academic institution,
or CERT, or someone else help people, including enterprise operators, who
have to make decisions to
implement these protocols and possibly change their architecture
strategies.  Even if we manage to
come to consensus on an IETF draft and create an RFC on DoH deployment,
many enterprises do not
keep up with all RFCs nor do they always have the time to evaluate
everything properly because they
are so busy with the fires of the current day.   I worked for large
enterprises for many years doing network
design and troubleshooting.  I was always extremely busy fighting the
issues of the day.

Enterprises, and many others, do pay attention to what NIST or CERT says.
 Just my 2 cents to try
to find a long term solution to what has been a contentious and exhausting
multi-year set of discussions
for all involved and which seems set to rekindle with DoH.


On Tue, Mar 12, 2019 at 5:30 AM Stephen Farrell <>

> (This distribution list is too scattered and diverse. Be
> great if some AD or someone just picked one list for this.
> In the meantime...)
> On 11/03/2019 20:43, nalini elkins wrote:
> >  impact assessment that certain changes such as
> > DoH and TLS1.3 will have on enterprises,
> TLS1.3 will, I expect, noticeably improve security for an awful
> lot of enterprises in time.
> As for DoH, I wonder has anyone done studies on how split-horizon
> names and access patterns leak today?
> I don't recall having read that kind of study. I can imagine
> many ways in which that kind of stuff would leak. I'd be very
> surprised if it never happens. I don't know how often it does.
> For names, leaking once is kinda fatal. For access patterns,
> I guess one leak exposes an IP address that's interested in a
> name (e.g. but more would be
> needed for broader access patterns to be exposed to "foreign"
> recursives and/or in-band networks.
> ISTM that it is quite possible that enterprises that deploy their
> own DoH services could potentially reduce such leakage and gain
> overall. (I'm assuming here that sensible browser-makers will
> end up providing something that works for browsers running in
> networks with split-horizon setups before those browsers turn
> on DoH as a default at scale.)
> Cheers,
> S.

Nalini Elkins
Enterprise Data Center Operators