Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)

Patrick McManus <pmcmanus@mozilla.com> Wed, 30 May 2018 15:20 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E9C12EABE for <doh@ietfa.amsl.com>; Wed, 30 May 2018 08:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kY3XGwQha8XP for <doh@ietfa.amsl.com>; Wed, 30 May 2018 08:20:53 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id B662612EAC3 for <doh@ietf.org>; Wed, 30 May 2018 08:20:53 -0700 (PDT)
Received: from mail-ot0-f174.google.com (mail-ot0-f174.google.com [74.125.82.174]) by linode64.ducksong.com (Postfix) with ESMTPSA id 7B6353A042 for <doh@ietf.org>; Wed, 30 May 2018 11:20:52 -0400 (EDT)
Received: by mail-ot0-f174.google.com with SMTP id t1-v6so21536479ott.13 for <doh@ietf.org>; Wed, 30 May 2018 08:20:52 -0700 (PDT)
X-Gm-Message-State: ALKqPwdEqtiVvX+FxtnovVw5iMVAn+J8nas57tuNf5uFHjkwqX+iMoVp IKctU2/33/4SPdnYr5KcjDhtepjd9kLr51ezmzw=
X-Google-Smtp-Source: ADUXVKKgCU7Tqya2OqphwwSv2WExd0E/iSM+CGaZJcgHLSp+iWlVDZimGzkso4ufrKLgB5KneXl8qDZHnz1ZnlnjOLw=
X-Received: by 2002:a9d:2c64:: with SMTP id f91-v6mr1927777otb.263.1527693652198; Wed, 30 May 2018 08:20:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a32:0:0:0:0:0 with HTTP; Wed, 30 May 2018 08:20:51 -0700 (PDT)
In-Reply-To: <20180530143833.GB3110@mx4.yitter.info>
References: <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com> <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com> <1daad94d-99c1-803a-f52c-1dd17adefb7a@o2.pl> <CAOdDvNrpLwF5jpn1YA4-HXsfGxVkdds+xHVd6Bxy0Ux+3nrcrA@mail.gmail.com> <CA9BEE64-9F16-4CCC-A1E0-4C7FD45C455C@icann.org> <20180528161043.GB12038@mx4.yitter.info> <CABkgnnV3kKFCzKLfPf_0WZh95jr2vEt652Rb4EozfqROCVsJdA@mail.gmail.com> <CAOdDvNrPU9WM3WgcX1AVF39D3bGdxCKgPAF_afhfv2Qt0pZR5g@mail.gmail.com> <DB7D40D6-455A-48DD-AB98-DF2CF0866222@sinodun.com> <CAOdDvNopKvs18jQizgyiAQq8UyB4GwdqyXfXPa+25pNrxWg8pA@mail.gmail.com> <20180530143833.GB3110@mx4.yitter.info>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 30 May 2018 11:20:51 -0400
X-Gmail-Original-Message-ID: <CAOdDvNpt53FDhpDwmwAK9w9=o-JNhaPoM27cxoP1QE_3yR3JfQ@mail.gmail.com>
Message-ID: <CAOdDvNpt53FDhpDwmwAK9w9=o-JNhaPoM27cxoP1QE_3yR3JfQ@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000770bc6056d6de591"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/P0XBzlQs1MLrXkZE6Bx7qXRlJpQ>
Subject: Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 15:20:57 -0000

On Wed, May 30, 2018 at 10:38 AM, Andrew Sullivan <ajs@anvilwalrusden.com>;
wrote:

>
> going to extend that metaphor using DOH, and it is still not clear to
> me that this text is saying, "Don't do that," though I think it might
> be.
>
>
It's not saying that (is not trying to say that?). Primarily its saying if
you're browsing the web minding your own business and some site
unexpectedly provides you a DoH exchange with an address for example.com
don't use it unless that pushing site is one you have configured for
resolution.

Whether or not you do unauthenticated configuration (e.g. DHCP) is not
something it takes a position on.