Re: [Doh] WG Review: DNS Over HTTPS (doh)
Warren Kumari <warren@kumari.net> Fri, 22 September 2017 16:24 UTC
Return-Path: <warren@kumari.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717CC134535 for <doh@ietfa.amsl.com>; Fri, 22 Sep 2017 09:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Rxjv33habFP for <doh@ietfa.amsl.com>; Fri, 22 Sep 2017 09:24:47 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA12B134530 for <doh@ietf.org>; Fri, 22 Sep 2017 09:24:45 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id r74so5397466wme.4 for <doh@ietf.org>; Fri, 22 Sep 2017 09:24:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zgfibPyeGydfI1bIsTT0DssylYO2CNJ8CA58LkQpw+0=; b=qq4ME2wFD51JqqRR0JKKZu3w671JycQe7bFKoRJ95rNBIFogjGtvKOOYPez4BkMYce SLWqALpcoAmePXP+q1fnsEBhF/lSmLiWspUrKnFIKtAMtKpwMZS6w4B/OMMf3sNQvFbD WjA3o++P/GMmQc9pYQIFJLsEz8g0AZSlLpazQiZQkPUZfHIlZqolYD+g6mwie6eI4SRh nirEMRI0OmxfSAfArfOgHHxqA30p7+MWu+sk2AE2VrX9KoK4L62VvIfz/jEPdkZE5Hu/ ysajaQguAUIFuI8VTJRuVm/j+EF/d+AYPMaKQT1x2y6zFIdx3Uu+nvwtCmh0E2SqHX83 CsaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zgfibPyeGydfI1bIsTT0DssylYO2CNJ8CA58LkQpw+0=; b=RfiFwB1ZySw9sgjzDEhRF6PztrKveeoMsKNeUPfB5bnjfe5xKnymU8RcsFhySKjMS9 VEZ9/h8Ypu/CeQl4/e78zl17A8x1cLI4+v/JC9gZ+fPSrkTTrawTUCBGacs5CINWFE5X X4kOvjLSbKuEfNe03RlAG0/cvenKq9K4cQqPWXhFXO3oIFvgP52KNmQY4wmFf07Jb0qK Oz0g+hYPXXEIJo3aNQSbqMSidoRn56+FXV920S96spMS4GntnP5YLuJVrcbCR1RJcTer ogoGDDaCj7iQly4ahPMNYQ2k8scT9k553JAvoXl3WHaVZK6dkfw9we8PUZG7eSvCeKlm cJgg==
X-Gm-Message-State: AHPjjUiW9TyZeu/gBjxSQiVtoWwmh5+FAujLLDdUxDKHIOIx2rFOyySb UYw/cFrIdvkZy8JkGiuWpBW1XUX+scJf5G8zh3mwrg==
X-Google-Smtp-Source: AOwi7QAp63+QrnSxi4umpfCM/5h6lZL48C/e8rbHcvltvGZZb0ymYWIMjpsNMeph7vz2pBYi1yUXysfGS2I+lnClJ4I=
X-Received: by 10.28.210.204 with SMTP id j195mr218535wmg.124.1506097483881; Fri, 22 Sep 2017 09:24:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.141 with HTTP; Fri, 22 Sep 2017 09:24:02 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.11.1709221301470.2486@grey.csi.cam.ac.uk>
References: <150549029332.2975.12341647131707994474.idtracker@ietfa.amsl.com> <20170920151458.GA22670@faui40p.informatik.uni-erlangen.de> <eaadc24d-6150-2396-64b6-708266de1c69@nostrum.com> <c06bfd5a-743a-aa9f-68b4-4a60badc8bed@cisco.com> <a34c98e2-7129-1d1a-947b-20cafa236119@nostrum.com> <5e9cb711-d798-c6b9-d6c3-c7619bcbadd7@cisco.com> <2E3B3E8E-7C8D-4662-B5C8-D11C390EE5ED@mnot.net> <CA+9kkMBD3qntDXGa3tWpcGRUWN4g4ivbMWMZrWRP-BBeJFOWVQ@mail.gmail.com> <alpine.DEB.2.11.1709221301470.2486@grey.csi.cam.ac.uk>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 22 Sep 2017 12:24:02 -0400
Message-ID: <CAHw9_i+0AKRQnnUkagB1XqoiiNVvcYu5psaHPrqzCetbudEu0w@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Ted Hardie <ted.ietf@gmail.com>, doh@ietf.org, IETF <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LGdgGdCWnfEHI3Wd9d4zwZ7d17s>
X-Mailman-Approved-At: Fri, 22 Sep 2017 13:53:29 -0700
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 16:24:48 -0000
On Fri, Sep 22, 2017 at 8:12 AM, Tony Finch <dot@dotat.at> wrote: > Ted Hardie <ted.ietf@gmail.com> wrote: > >> I think you're underestimating the value of a switch to a multiplexing >> facilitating protocol/transport. Once this has gotten its legs under it, I >> suspect that this approach for connecting to caching resolver will perform >> better than any of traditional upd/tcp connections or the tls/dtls >> approaches DPRIVE created. > > DNS over TCP already supports out-of-order responses. The reason it has > historically not performed very well is that server implementations have > handled queries on a TCP connection serially rather than concurrently. > > But this is improving. BIND 9.11 (for example) supports concurrent queries > with out-of-order responses over TCP and TCP fast open, so queries over > TCP should perform well, and better than UDP for large responses. > Yup -- RFC7766, S6.2.1.1 says you should do this, as does RFC7858 ("Specification for DNS over Transport Layer Security (TLS)"). So, these are only my personal views / no hats / etc, but to my mind one of the main reasons that I'd like to see Doh! succeed is for censorship resistance (in parallel with the dprive work). Currently plain-text DNS leaks a huge amount of privacy information; DPRIVE solves much of this, but one weakness is that it is still clearly DNS traffic[0]. This allows bad, evil, no-good totalitarian regimes to block it and force you to use resolvers under their control and so can control what you can reach, or watch where you are going and send the secret police to "re-educate" you if you are looking at things you shouldn't be. . . Now, reread the previous sentence with s/ bad, evil, no-good totalitarian regimes / friendly corporate IT folk / and s/ the secret police / human resources /. This allows friendly corporate IT folk to block it and force you to use resolvers which they control and so can contol what you can reach, or watch where you are going and send human resources to re-educate you if you are looking at things you shouldn't be. This is (I believe) what Elliot was pointing out -- this is important information for enterprises - it is used to limit liability, ensure employees are not "wasting time", and corporate security to detect that they need to re-image Bob's machine *again* because he persists in clicking questionable links and installing random bits of malware. Unfortunately you cannot separate case 1 from case 2 -- if you make it something that enterprise folk can detect / block (on BYOD devices) then you have provided that facility to everyone. I believe that this is simply the "encryption should be outlawed / backdoored because it helps <insert bad guy here>." argument in another guise[1]. If Doh! is done right in my view it should be indistinguishable from other web traffic and / or the collateral damage from blocking it would be (hopefully!) politically untenable. W [0]: either because it is using the domain-s ports (853) or through fingerprinting / heuristics of the TLS stream if you do something like just run it over port 443. [1]: luckily this isn't at all controversial, and isn't going to suck this thread down another rat-hole. > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Faeroes, Southeast Iceland: Southeasterly 4 or 5, increasing 6 to gale 8 > later. Moderate or rough, occasionally very rough later. Showers, rain later. > Good, becoming moderate or poor later. > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Cullen Jennings
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- [Doh] WG Review: DNS Over HTTPS (doh) The IESG
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Spencer Dawkins at IETF
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Tim Wicinski
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] [Ext] WG Review: DNS Over HTTPS (doh) Paul Hoffman
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ask Bjørn Hansen
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ask Bjørn Hansen
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Magnus Westerlund
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Mark Nottingham
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Toerless Eckert
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Tony Finch
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Phillip Hallam-Baker
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Eliot Lear
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Warren Kumari
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Warren Kumari
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Martin Thomson
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Ted Hardie
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Martin Thomson
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Stephen Farrell
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Adam Roach
- Re: [Doh] WG Review: DNS Over HTTPS (doh) Patrick McManus