Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)

Sara Dickinson <sara@sinodun.com> Thu, 14 June 2018 14:00 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C022131163 for <doh@ietfa.amsl.com>; Thu, 14 Jun 2018 07:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrLh_SvYwEOw for <doh@ietfa.amsl.com>; Thu, 14 Jun 2018 07:00:57 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91315131160 for <doh@ietf.org>; Thu, 14 Jun 2018 07:00:57 -0700 (PDT)
Received: from [62.232.251.194] (port=5090 helo=[192.168.12.23]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <sara@sinodun.com>) id 1fTSnu-0006x7-C6; Thu, 14 Jun 2018 15:00:50 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <alpine.DEB.2.20.1806140728270.30130@tvnag.unkk.fr>
Date: Thu, 14 Jun 2018 15:00:24 +0100
Cc: Mukund Sivaraman <muks@mukund.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, DoH WG <doh@ietf.org>, =?utf-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>, Patrick McManus <pmcmanus@mozilla.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <74D48781-9F05-482C-ACB2-7AB027611489@sinodun.com>
References: <1E183D79-5716-47E5-8604-A4F5DC7588C2@icann.org> <045241e6-6d9f-162c-6ae3-0b10d59d21de@bellis.me.uk> <6BB0D47F-2BA3-4D9A-A125-1D1E180B06E0@icann.org> <53c320bc-6ea0-21f4-c7a1-1da34bbdb38d@nic.cz> <CAHbrMsBoKE-pfz97ZDb9ReLKMedk2KJ7xLCw_MPmxVtqF7PcuA@mail.gmail.com> <20180613192030.GA2792@jurassic> <CAHbrMsACdaz13v=2jbpZq1RU-_CP36Cgz13iFFWVj8qrjQ0b=g@mail.gmail.com> <20180613205637.GA23215@jurassic> <CAOdDvNr0ob_zhMw1BT_h8n77ecx5vht8WJ7OiwwDPrj0Wxf8SA@mail.gmail.com> <20180614042217.GA25915@jurassic> <20180614044113.GA27115@jurassic> <alpine.DEB.2.20.1806140728270.30130@tvnag.unkk.fr>
To: Daniel Stenberg <daniel@haxx.se>
X-Mailer: Apple Mail (2.3445.8.2)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/RPIuULIBDiTmOCbv31pa_DfAf-k>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 14:01:00 -0000


> On 14 Jun 2018, at 09:14, Daniel Stenberg <daniel@haxx.se>; wrote:
> 
> On Thu, 14 Jun 2018, Mukund Sivaraman wrote:
> 
>> The switch to DoH at the application layer seems suddenly upon us. I was thinking of DoH just as a fallback transport, but suddenly it seems almost like this is the new way to do DNS queries (a switch).
> 
> Users have wanted (and used) "name resolving in the application" layer since a long time in various situations. The fact that the standard operating system APIs make this hard has never taken away the desire or will for a lot of solutions to be able to ask their *preferred* resolvers. Why shouldn't applications be able to decide this?

Applications are free to decide it but it is not without consequences, for example:

1) Many enterprises rely on using internal views for DNS from servers provided by DHCP. If applications override this by _default_ then that model completely breaks internal name resolution _and_ leaks internal queries to the external resolver. Some might consider that a loss of security and privacy. 

2) By ‘users’ above I think you mean ‘application developers’ not ‘actual end users’? While their may be good reasons for application developers to want to do this I would postulate that actual end users who understand enough about DNS to want to control it would prefer to have a single system setting to configure it to point at _their_ preferred resolver, rather than a (transport/DNSSEC/resolver) setting existing in every individual application. 

I’m not saying there is a right or wrong model here, just that there are more concerns than simply what the application prefers. 

Sara.