IETF Logo Mail Archive

Re: [Doh] Mozilla's plans re: DoH

Eric Rescorla <ekr@rtfm.com> Wed, 27 March 2019 16:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EC6112032D for <doh@ietfa.amsl.com>; Wed, 27 Mar 2019 09:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owwnrxIOUM7Y for <doh@ietfa.amsl.com>; Wed, 27 Mar 2019 09:56:55 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCDA612031D for <doh@ietf.org>; Wed, 27 Mar 2019 09:56:54 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id t4so1952873ljc.2 for <doh@ietf.org>; Wed, 27 Mar 2019 09:56:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QZmgzFK9K2u9ErJZ1sHvf/nZeztOSFDPj8CVFuJX1rE=; b=BoS3otUku2uz205QIUkaQcDJReObx+S8cZfDb6Q85mK51OYIFoabx0G+sdW4ZxxAsJ qhHRhXPdqhXc29nCPhWcT/hfC4GdA6KI0BAw2VvFjipG20Bi/igf8QhR4umdIcf7GaYY zygxWpgnjhA3+VZQBe/MR0H647iSssuc51kmNYakaHW2IlMMtT/CSeJ8GMmeOBahF6Yo 0rcAEvNVIDpDnEV9BqO9m2ugznIRABul/TQQ5fC1tMbo93DuS0m05wHYLCyCHfaca2dn B4dII4897xYSgr0As24OlnIzPhs2bu9H2Kpp7Xo/NGmbTM89p6+ZacESA7XKX2Fy7vY2 ukpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QZmgzFK9K2u9ErJZ1sHvf/nZeztOSFDPj8CVFuJX1rE=; b=FHTQ7jrtFzYfszyF07uaYzpkj/t0jHmVPmMKJHksdqncggn9Y4VxofhG13HGr3aYof sNFgdGxc4UTZqXvgc5wWuIDv4WwFIuaKzZsXlITBTlnjTNBQ7SOlp/FeKs+0Va1U/VFt k33ffKsjqSZw5wGQcH8ebK99039f1nOfyh3nOI+x2v3ucdL7J06yF6C0orYfUBAkT+a6 NIaks2Gxc0H5yW6XYCm2AMLOlZWiArbbeF3w18PowQU26vsS+sF/ln7bBYMSnQv5MkBo 8GCbEeSooCYoVP66JeTc579XmCff/KA+0LaFneuNN9UsstIC5QeZAkVx8MlF4ldcO+Dc jnXA==
X-Gm-Message-State: APjAAAXJmv5cKleP5/FMUi8eEGUNd36qI2AfjXciyBgh6pmyCQ/m14m9 w/ygAUnlcwmayaG3XFAv09VVIGnUszJsNpcPtMN9EQ==
X-Google-Smtp-Source: APXvYqx8MSpSqIbmmqxNPUVNC1Hphmn18/vZoJwTPH3/niZuV9jecKUrh5pHIQI0V3ZMu3FsKIHnqxwDjhti+th8fCc=
X-Received: by 2002:a2e:3506:: with SMTP id z6mr20326695ljz.72.1553705813117; Wed, 27 Mar 2019 09:56:53 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOk5bM+3G2Jd3Lu33Z08gc=AeoZ8UFHzN6AYk4f_hjZ8Q@mail.gmail.com> <CABcZeBPUh6x=D+GfKg11+4bRouZdm1LcZvLm1jd4UUEJA832BQ@mail.gmail.com> <alpine.DEB.2.20.1903271629430.13313@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1903271629430.13313@grey.csi.cam.ac.uk>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Mar 2019 09:56:12 -0700
Message-ID: <CABcZeBOv0S8gHMYejhGkSncB4kX7KVFiYP3bHPLimdZ==epQQg@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000013aac105851653e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/iZ9WHptC9Vw1eJW6tUmsuCmaYAc>
Subject: Re: [Doh] Mozilla's plans re: DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 16:56:57 -0000

On Wed, Mar 27, 2019 at 9:32 AM Tony Finch <dot@dotat.at> wrote:

> Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >     4. At any time, the user will have the option to select a
> >     different resolver out of the list, specify their own resolver, or
> >     disable DoH entirely.
>
> Will Firefox inform its users whether the local resolver supports DoT or
> DoH?
>

We don't currently expect to do so. As noted above, we don't think secure
transport to the local resolver is sufficient to ensure the privacy and
security guarantees we are trying to provide.



> However, there are two more restricted cases in which we do think some
> > network control of the resolver is reasonable.
>
> What about allowing Firefox users to access private / internal domain
> names?
>

If a name doesn't resolve with DoH, we fall back to the system resolver.
This doesn't work properly when the same name is available on the public
DNS but pointing to a different location. As I alluded to in my email,
we're still working out how to deal with this split horizon scenario.

-Ekr


> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> each generation is responsible for the fate of our planet
>

v2.23.0 | Report a Bug | By Email