Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

Christian Huitema <huitema@huitema.net> Mon, 11 March 2019 05:03 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC37C130F0D for <doh@ietfa.amsl.com>; Sun, 10 Mar 2019 22:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hbk991b_oZdr for <doh@ietfa.amsl.com>; Sun, 10 Mar 2019 22:03:30 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD26312798E for <doh@ietf.org>; Sun, 10 Mar 2019 22:03:30 -0700 (PDT)
Received: from xsmtp04.mail2web.com ([168.144.250.231]) by mx62.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1h3CKG-00088k-OT for doh@ietf.org; Mon, 11 Mar 2019 05:14:09 +0100
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1h3CKB-0006OD-W1 for doh@ietf.org; Mon, 11 Mar 2019 00:14:04 -0400
Received: (qmail 20766 invoked from network); 11 Mar 2019 04:14:03 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.166]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <stephen.farrell@cs.tcd.ie>; 11 Mar 2019 04:14:03 -0000
To: nalini elkins <nalini.elkins@e-dco.com>
Cc: doh@ietf.org, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, dnsop@ietf.org, dns-privacy@ietf.org, "Ackermann, Michael" <mackermann@bcbsm.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <e62efaf3-4a35-4a52-5ed4-dee2e7fafe72@huitema.net>
Date: Sun, 10 Mar 2019 21:14:02 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.231
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.20)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5gTKdGpwITB4Og1dMoC8hl1602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO25BUjnzxeaqnrPDaA78u19VMZsRZacTbJPGp/MBC6BxqxJxF+LAp7DjZF7exyDyikh5 mNm/WjPqhYqCeBiCKwzwNnO0oYiZjOnC1Xa7kCO2wQwuOVbOJlufBNa9jDYDifvRa7MR4hgRIg8N 1QlY4G7x1YBTEs55LirRLgpsvCFt8i77Wu2Jb/TI0CxS53moc/SlgXpNwUDmiieE9G+9VqfZ1kay mqFCHRp6u+mIhIXg5jssJAnfERZ2C5vj1sOdsnQOD0r6/AaHZiEtdTMtMljoSvSqrGwueTSCQFid cy15jQ4HwbF4aWaRl0axA525ouWBOXp8nHKe0R+FkIqN7hkgzj0zEmu34GPXR572RNl5VgW9/bkt U41htiJ8fk7NkHmplbyYh4+w03es32OzjfSo5Jhwk+hMTKYppuA2BaWeipTPWMHGUquOFNpW9R6n Md9TLrF9l3ItGfA/WrnALV4KU1KUj6WmLwrt1V2W2O8S8rA9GQEGJYN7OQMZTChgaGI67KPdMMMU qiBDQeX5GH069TdE5SQ4dxJir0Y8rHr0CnFV4ppbCSIV+5MQOIhZD0YsNwSrwzPbXZMD1WP1LXFD lJBVkCSQ2iLcAY5Y0XJtqwPiG77RlB1oqlzsN7KI5PkKIKnisj+1ZHYjRAh7nr2r2Sqw9KBaAUuM ZylbRx9EfEXGioT+mjOYGM8ss+hlV7jXIuUkHV/h7xc/Bc5f+z8UjH7OdA4AxqY9XSPDZhXTPRj4 ONIshumWrYWvtS5nqAxWFSzsWt2uE/YFyU00jIgVNusVRf/yaIf6yq8z+dbV7R9lLUJTOMC9AqYW 1lRNjkWXJryJ9+EiOvBe6vFbUGRrwytzyq4nhu0+m3/YUu4UI2GoiS4jWHSkvyyyS8KErWmYf+RR A94if7oLzRs73BRh3+MrOOK4NgfP/RZivWtTzbcnsscMdnMYECIJ64duuA==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/RR8pXaPQhjClf-s1t28MjPPAowk>
Subject: Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 05:03:34 -0000

On 3/10/2019 8:25 PM, nalini elkins wrote:
>  > Similarly, putting DNS in user space allows for immediate adoption
> of DNSSEC and privacy enhancements, even when the operating system or
> the local network does not support them  
>
> At enterprises (banks, insurance, etc) on their internal networks,
> people run their own DNS servers which may resolve for both internal
> and external sites.
>
> We were recently talking to a Fortune 50 company in the United States
> about what might happen you install a version of the browser which
> uses DNS-over-HTTPS automatically.  (Clearly, this applies to any
> variant.)
>
> The questions that the Fortune 50 company architect asked were
> something like this:
>
> 1. You mean that DNS could be resolved outside my enterprise?
>
> 2. So whoever that is that resolves my DNS sees the pattern and
> frequency of what sites my company goes to?
>
> 3. How do I change this?


There are a bunch of conflicting requirements here, and it would be good
to tease out the contradictions. Consider the following cases:

1) I am using my phone, and using application-X.

2) I am at home, using application-X on my home computer.

3) I am using Wi-Fi in a hotel, and using application-X.

4) I am using my work laptop on the enterprise network, and using
application-X

5) I am using my work laptop in a hotel, and using application-X

6) I am using my work laptop on the network of a customer, and using
application-X.

Today, plenty of people claim the right to control how I use the DNS: my
phone carrier, my ISP at home, the company that got the contract to
manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT
manager for the company that I am visiting. Out of those, there is just
one scenario for which the claim has some legitimacy: if the company
pays for my laptop and own the laptop, yes of course it has a legitimate
claim to control how I am using it. Otherwise, I, the user, get to
decide. If I like the application's setting better than the network's
default, then of course I expect those settings to stick.

-- Christian Huitema