Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Jacques Latour <> Wed, 20 March 2019 17:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CD1DD130ECE; Wed, 20 Mar 2019 10:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4AkPQ_KxT2YM; Wed, 20 Mar 2019 10:59:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 36DA6126C87; Wed, 20 Mar 2019 10:59:15 -0700 (PDT)
X-Virus-Scanned: by SpamTitan at
Received: from CRP-EX16-02.CORP.CIRA.CA ( by CRP-EX16-02.CORP.CIRA.CA ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1531.3; Wed, 20 Mar 2019 13:59:13 -0400
Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7%13]) with mapi id 15.01.1531.010; Wed, 20 Mar 2019 13:59:13 -0400
From: Jacques Latour <>
To: Jared Mauch <>, Brian Dickson <>
CC: Ted Hardie <>, DoH WG <>, dnsop <>, paul vixie <>, Michael Sinatra <>, Stephen Farrell <>
Thread-Topic: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
Thread-Index: AQHU3st9h0GdiQaaLkiocBQxqOUcOaYUj4IAgAA4OCA=
Date: Wed, 20 Mar 2019 17:59:13 +0000
Message-ID: <>
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-CA, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 17:59:18 -0000

I'm trying to balance in my mind the requirements to protect the DNS vs. what is happening on the wire, in the end, the browser will connect to an IP address which can be (in most case) mapped to a domain name, which we're trying to protect/hide with all sorts of encryption.  Someone that has access to the DNS on the wire can see what is queried, someone with wire access can see who is connecting where.  Where's the privacy protected here? Do we need to balance both?

DoH is going to force enterprises/network operator to beef up their security policies by enforcing higher level of outbound IP address filtering. Having a matching DNS block list in corresponding outbound IP address filters. Going to be messy :-)



>-----Original Message-----
>From: DNSOP <> On Behalf Of Jared Mauch
>Sent: March 20, 2019 6:10 AM
>To: Brian Dickson <>
>Cc: Ted Hardie <>; DoH WG <>; dnsop
><>; paul vixie <>; Michael Sinatra
><>; Stephen Farrell <>
>Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
>> On Mar 19, 2019, at 11:17 PM, Brian Dickson
><> wrote:
>> On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell <>
>> Hiya,
>> One individualistic data point on this sub-topic, and a real point:
>> On 20/03/2019 01:13, Jared Mauch wrote:
>> > My impression is there are people who will not be satisfied until
>> > all traffic looks identical and you have zero way to protect your
>> > home,
>> I do not claim that everyone ought do the same, but I absolutely do
>> claim that encouraging voluntary policy adherence by dealing with the
>> people using the n/w is preferable to many egregiously invasive
>> attempts to force technical policy enforcement on unwilling serf-like
>> users.
>> So, this is the problem:
>> - If a network operator has any policy that is enforceable, ONLY the technical
>policy enforcement model scales.
>> - In such an environment, there are only, ever, "willing users", because, in
>order to use the network, they are required to agree to the policies.
>> This makes the argument you have above, a vacuously defined one.
>> You want to encourage voluntary policy adherence for a non-existent set of
>otherwise unwilling users.
>> I understand your position: you would prefer that {some,all} networks were
>not employing policies that {you,some people} disagree with.
>> I sympathize, but I disagree. What we need are mechanisms that scale.
>> My position (personally) is that we find ways to have scalable, technical
>> They should allow users (or machine administrators) to be as compliant as
>they are willing, and no more.
>> They should allow networks to enforce their policies, while treading as lightly
>as possible.
>> It should be possible to use technical means to handle this negotiation with
>little to no user input required.
>> The analogy is roughly that of escalation-of-force in law enforcement, starting
>at a level of "polite requests".
>> You can disagree, but I implore you: please don't stand in the way of those
>wanting to find consensus on scalable, flexible, technical solutions that
>encompass a wide range of network policies and enforcement needs.
>> The main point is, I believe the end result will be mechanisms that allow you
>to deploy networks that meet your needs, and software that you can configure
>to bypass such controls, but that neither of those should ever be the default
>> If the results allow you to do what you want/need, and also allow others to do
>what they want/need, everyone should be happy enough with the result.
>> Can we at least agree on this as a desired goal for this work?
>Often as an industry we may discuss various solutions that are great for oneself
>but don’t scale when looking at the big picture.  I’m of the feeling that not
>everything should be a standard, even things that look like they might be
>standard-ish.  I could encode many things over TCP over TLS over QUIC over
>HTTP.  I’ve seen unencoded data stored in DNS TXT records that have
>sorted/ordered information so you can do interesting things.
>Just because one can do these things doesn’t mean one should, or that the
>entirety of the industry should (or even will).
>Goals and motivations are key here, if the goal is to make it such that dissidents
>whose lives may be threatened (this is an example a co-worker always uses on
>me in these types of conversations to support their position) by the local regime
>may face a threatening situation or die as a result of using technology, it’s not
>the fault of the protocol.  Should we improve for every corner case like this?  As
>vixie has pointed it, it may be an innocuous device like a chromecast where the
>ISP provided DNS is horrible.  (I can think of many bad devices in the consumer
>space that break the DNS spec in really unique ways).  It’s entirely possible that
>the appliance works best when not using that ISP service, but it is also data
>leakage to a large global company that for reasonable or unreasonable purposes
>he doesn’t want to transact with.
>When we create technologies that can bypass and traverse the existing security
>posture of networks (evil foreign telecoms, where’s my pitchfork) or a coffee
>shop, library, home or large enterprise… expect the work to be held to a higher
>It may be that there’s not consensus on this topic.  It may be I’m an outlier and
>have been subverted by <insert boogeyman of the week here>, but the most
>likely case is there be dragons here and we should tread carefully to not burn
>down the entire place.
>- Jared
>DNSOP mailing list