Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Paul Vixie <> Tue, 12 March 2019 18:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8FB4613121E; Tue, 12 Mar 2019 11:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jDa0LMvk0can; Tue, 12 Mar 2019 11:27:12 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5375F131219; Tue, 12 Mar 2019 11:27:12 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 19AFF892C6; Tue, 12 Mar 2019 18:27:12 +0000 (UTC)
From: Paul Vixie <>
To: Ted Hardie <>
Cc: Warren Kumari <>, Jim Reid <>, DoH WG <>, dnsop <>
Date: Tue, 12 Mar 2019 18:27:11 +0000
Message-ID: <3457266.o2ixm6i3xM@linux-9daj>
Organization: Vixie Freehold
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2019 18:27:14 -0000

On Monday, 11 March 2019 18:30:51 UTC Ted Hardie wrote:
> On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie <> wrote:
> > DoH will moot that approach.
> Any system that actually checks the credentials presented by the responding
> server will also moot that approach.

yes! but it will fail "closed". thus, no unauthorized exfiltration risk will 

> Given how easy it is to pin
> credential characteristics in applications distributed as binaries, this
> seems to mean that your method will either continue to permit applications
> other than browsers to use their own resolution systems or it will hard
> fail all such applications it can identify.  No pass through will work, as
> far as I can tell, in that scenario.

that's precisely the goal, because very few network operators can preordain 
the users and apps that will connect through their networks. to the extent 
that monitoring ('dnstap') and controlling (DNS RPZ) dns lookups by connected 
users and apps is considered a vital local security policy, attempts at such 
"pass through" must be made to fail.

> Perhaps, though, I am missing something about your intent.

i think you've restated some key points of my position with perfect accuracy.

DoH wants to empower users and apps to make decisions about their RDNS which 
cannot be interfered with by on-path actors such as their own network 
operators. by doing this, DoH makes a false equivalence between a dissident 
(who may be considered a criminal in some places) and a criminal (who is 
always considered a criminal in most places) and private users in a hotel room 
or coffee shop or on their home broadband connection, and malware which gets 
inside a network and wants to avoid detection/mitigation while performing 
lookups or exfiltration.

those are four very different things. demanding identical treatment for all of 
them is, in the best possible interpretation, naive.