Re: [Doh] [EXTERNAL] Re: Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

"Winfield, Alister" <> Mon, 28 January 2019 09:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76C07130FF9 for <>; Mon, 28 Jan 2019 01:58:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.553
X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xD5Jr9shbjw3 for <>; Mon, 28 Jan 2019 01:58:21 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe06::616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6146129508 for <>; Mon, 28 Jan 2019 01:58:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZtcGwplZBIKvxj6q62xLwdul65uqfpYaMRxsNG6BAI=; b=MNZeR++2T6VphAvuNb3fkayAqxb2z+QOGwNO0QEeOnDyPLJVzpStw+GoSIJAea0GA3lBNV5YXiOl6ihELni8J03j7t3IVT+YC3t5O9eWZdmMRsTUFikw1Zbo4hpVEYce6cWIS9brIGniEZH7MRyY+U8ZXQKeFf8eK44Y/34SBnw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.18; Mon, 28 Jan 2019 09:58:18 +0000
Received: from ([fe80::148d:a08a:46fa:294]) by ([fe80::148d:a08a:46fa:294%10]) with mapi id 15.20.1558.023; Mon, 28 Jan 2019 09:58:17 +0000
From: "Winfield, Alister" <>
To: DoH WG <>
Thread-Topic: [EXTERNAL] Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
Thread-Index: AQHUsuzVoWEZWxkEakamBfJ6NkBIVaW87R2AgAdtZoCAAB+dAA==
Date: Mon, 28 Jan 2019 09:58:17 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0601MB2178; 6:jTeP3YBc4Aa0EHggUJS4zybm+4oA7MtxGKHC9Q8zvlfVU44OhuvFKSjQVITHrikNoYCJ098GFXzYZ+r9oo9CVg0FMte8mk76rfRZhS7dyUeO8XOVmZacFsc/NJZnTLf26gA5dkqOmFCeFF8ZJtCZDs6Al2VE1CzsEzXpHkVb1El4enMYsVny4YXRqvgZGh16n0hbdQyW8YrntKcSJqPYR5K4nSbpB0UsGD7Grrakad/lhSiXdax+eVRu3M/JmTQ24RTNSmfN5ppCiwrchLBPg3vwS/y5CPrFCZwMKHrvCbEfR6i6w98HBE/WlaIvegl3fZ7Rt8n7rdttN91BkYbT0Rf9Jc308xCHaJP1IEybptfX4ZMcuYfxKq9ADqo8f243CPiA6ue//ZWfQ+H/0Y+rJ/wSMCt561efNWzW7RsOgn6eydgB1I4fTrlwj4CTpIKBrfB+0sj2hAbT/P/nCCi1oQ==; 5:/TGNk6lMldJUKL6k9WitKtFgKinEWhkJIQDt7mpTBD8QkbSgXrqLm1C/4Fz6TdryGfqWTOoqlDCRtmRclaYyv3W7JX1UuB/9FLAP2pMNgwjI67mFXML8at/WXG1vwjxotPeQvAK5qRUe9yhj2HudatuuPzrZ0lHlRslr07GJih38LA9IvFbnAWnLF1sAncp8RLR6mvUflIw41OarvzGpQA==; 7:Hih2wOWFD9RjPevh2SxM7fGYgLU25Asbv/+rr8w5/gkkaDj8mqFrTlPNHU01B95muX4H7plVR2aoWpjd3iD/LOyZTu1mqEX8bTplAXCEBKV25+F7aHL0n0xx8I7gqE5ah6LnqePpX07vOJoMYBo+rw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a22a88a7-84db-4708-679f-08d6850720a4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:AM4PR0601MB2178;
x-ms-traffictypediagnostic: AM4PR0601MB2178:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0931CB1479
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(6486002)(486006)(476003)(8676002)(8936002)(83716004)(71200400001)(82746002)(256004)(14444005)(5024004)(6916009)(74482002)(6512007)(2906002)(316002)(72206003)(81156014)(7736002)(81166006)(33656002)(71190400001)(6306002)(2616005)(86362001)(305945005)(3846002)(106356001)(58126008)(66066001)(25786009)(6506007)(6436002)(186003)(14454004)(76176011)(33896004)(105586002)(6116002)(66574012)(99286004)(229853002)(26005)(446003)(68736007)(966005)(11346002)(36756003)(93886005)(97736004)(6246003)(478600001)(53936002)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0601MB2178;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: BIkMk6VxhjBf9gPaqescl5ClZIqHM9KvAyd99Yb6lsWLuBbCgAO9MAl/aoi+wjqKG83fJ5KPx/VCQckPIK94VympKMuUussCtn4SUcu0vfhce4I7wLLih8kT5LzgJ6FukRPszHf1ayyjcXelC03gnPk14ARdWbrZ9nafhgOHxxj/V2S64N1yZoHHxsJWHJQOq4nS6GpQHCrllDYQS7GS51n+WKqE4ElYZNHvs0nGojXlYQY+g7Ta3j5P3eEbCy35orE0vx2JHhDtPyZqa9bwcd6Ahtk1U8yIwtMN4dJNkBpgVucLUPf631k9iORrk0nrpvnl2o5O7mo265dl3qG9OhR3jF8zFq3b1sWIfDNBYerVzxZ/U1Aha42XDwqxN6mH7b5wSctdY1tQ5T7dMXpcqiVJ7kU27lQJXrnciHEK9TA=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a22a88a7-84db-4708-679f-08d6850720a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2019 09:58:17.7503 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0601MB2178
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jan 2019 09:58:24 -0000

I happen to find it harder to trust a company where there is no contract and the company is not operating under local laws that I know and understand. Others with less trust of local laws, regulations and governments would feel rather differently. At work I'll take the local resolvers over everything else because I know they will do what they can to avoid malware inside the network (eg blocking C&C domains).

So can we be more nuanced in the meaning of trusted and accept both viewpoints.

This exchange is why I think the whole area is missing concepts:

a) Defining trust and privacy in general terms. The BCP draft has some of this but it's likely that there is more to do to cover every angle.
b) Somehow securely advertising what types of trust and privacy your resolver is built to provide. Here we are very light and it could be built into the discovery mechanism or perhaps not ?
c) Auditing and its related actions on failure to uphold promises made in (b). Here be dragons, the problem is avoiding a central authority that charges and allowing anyone to setup a DNS TRR perhaps akin to self-signed certs in the way that the client can handle 'trust'. Perhaps a notary solution is better in that it allows a user to define who they trust and that trusted entity can then accept or deny resolvers.

Remember, the autodetection concept is for those where using local DNS is a non-issue or is required. Yes for those who are more focused on the transport security the way you get that DNS resolver IP is suspect but that is an interesting challenge for the protocols involved (DHCP, PPPoE etc).

Alister Winfield.

On 28/01/2019, 08:05, "Doh on behalf of Daniel Stenberg" < on behalf of> wrote:

    On Wed, 23 Jan 2019, Vittorio Bertola wrote:

    > This could be true for you and me, but average users have no idea of what
    > the DNS is - they only make one choice, they pick an *ISP* that they decide
    > to trust.

    I don't know a single ordinary person who selected their ISP based on their
    privacy stance for DNS queries. The people I know pick ISP primarily based on
    availability, price, bandwidth and technology.

    I actually think rather few people trust their ISP, and I think history would
    give them right since so many ISPs have violated their users' privacy and data
    through the years.



    Doh mailing list
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to as attachments. Thank you

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD