Re: [Doh] DOH and split DNS

Patrick McManus <pmcmanus@mozilla.com> Mon, 06 November 2017 15:12 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA2A413FC38 for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 07:12:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8iad9P6Alin for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 07:12:02 -0800 (PST)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 0B0A813FC33 for <doh@ietf.org>; Mon, 6 Nov 2017 07:12:01 -0800 (PST)
Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) by linode64.ducksong.com (Postfix) with ESMTPSA id 5A1FD3A021 for <doh@ietf.org>; Mon, 6 Nov 2017 10:11:59 -0500 (EST)
Received: by mail-lf0-f51.google.com with SMTP id e143so10840752lfg.12 for <doh@ietf.org>; Mon, 06 Nov 2017 07:11:59 -0800 (PST)
X-Gm-Message-State: AMCzsaUmwlI8NBJggoS7Xpq0+l9bxFVU3rDI7LJahxifYcq4tqxMEqbJ LR8Ri4/vx+8+nQ5NM/SNFi8FDhgh1K8E5xQ0k1w=
X-Google-Smtp-Source: ABhQp+TOhec8zYPRsQiQ9mA7rTPvhqWps/E6oZ2I3CtRMpz1biWyM56T7mo6I7QexYINPBQHwFdZsaVnUeTzPXrjgpg=
X-Received: by 10.46.84.84 with SMTP id y20mr6866706ljd.89.1509981118084; Mon, 06 Nov 2017 07:11:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.21.22 with HTTP; Mon, 6 Nov 2017 07:11:57 -0800 (PST)
In-Reply-To: <20171106120014.ybhkqptllbx75vsg@mx4.yitter.info>
References: <C7B43C35-55DE-41FE-BE66-5D7BBDB6FC9A@vpnc.org> <644FB18C-3B6A-4DF2-88C9-31A0C870055D@mnot.net> <20171106120014.ybhkqptllbx75vsg@mx4.yitter.info>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 6 Nov 2017 10:11:57 -0500
X-Gmail-Original-Message-ID: <CAOdDvNok6MLrNp+jw0G+nuSzgTO+kB_owRiC-HhhpvxkpkxATA@mail.gmail.com>
Message-ID: <CAOdDvNok6MLrNp+jw0G+nuSzgTO+kB_owRiC-HhhpvxkpkxATA@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Cc: doh@ietf.org
Content-Type: multipart/alternative; boundary="f403045fb58e293c2d055d51e09b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/MKxhzTEZJNATnL8UWHd2Vhw5lcI>
Subject: Re: [Doh] DOH and split DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 15:12:09 -0000

If we were to do an operational doc, it seems fine to note that who you ask
determines what the answer is and therefore you need to consider who you
are asking. Uncontroversial - indeed its really a motivator for DoH in the
big picture.




On Mon, Nov 6, 2017 at 7:00 AM, Andrew Sullivan <ajs@anvilwalrusden.com>
wrote:

> On Mon, Nov 06, 2017 at 11:13:19AM +1100, Mark Nottingham wrote:
> >
> >  Some careful wording around the configuration mechanism should help.
> >
> > Allowing something like proxy.pac to override DOH doesn't make any
> sense, given that the primary purpose of DOH is to NOT allow the local
> network to impose policy on communication with the DNS server.
> >
>
> That careful wording had better be pretty careful.  I don't believe
> for an instant that most users have a workable theory for which
> resolution mechanism they're using, and if they configure DOH and
> suddenly all the "internal sites" don't work they're going to be
> pretty surprised.
>
> It strikes me as pretty strange, too, to suggest that, if a user
> configures proxy.pac, they don't want the local network to offer such
> policies.  If the user is prepared to use the proxy, presumably the
> user is prepared to use it to impose local policy, no?
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs@anvilwalrusden.com
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>