[Doh] comments to DoH/RFC8484

Stefan Kärst <stefan.kaerst@web.de> Mon, 28 June 2021 10:52 UTC

Return-Path: <stefan.kaerst@web.de>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE4423A34F5 for <doh@ietfa.amsl.com>; Mon, 28 Jun 2021 03:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6A7ahFNk2Z44 for <doh@ietfa.amsl.com>; Mon, 28 Jun 2021 03:52:41 -0700 (PDT)
Received: from mout.web.de (mout.web.de [217.72.192.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9992A3A34F3 for <doh@ietf.org>; Mon, 28 Jun 2021 03:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1624877556; bh=wIb4QUTDWV+PhLav3STghA6aIvvqPRY3K0jrKh5viZ8=; h=X-UI-Sender-Class:From:To:Subject:Date; b=JOZ50TIh8XwbASWIxFyMw8CoSqhiQcLDS5jv25d7lD72Epfsd80pKMIwm432uWVNg weAuS7XwM78oZA8rtD0SQXtBtog9UCRA4Q7MjitWvKHdo+ueBz8Xlf5wNOEVZELU+b qt9Kbf1DR3yJqBA1+oX2FZGmTDtrnFaWNuT1NM4I=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [172.20.18.49] ([217.9.115.75]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LyUkU-1lCzZa37jC-015rS1 for <doh@ietf.org>; Mon, 28 Jun 2021 12:52:36 +0200
From: =?UTF-8?Q?Stefan_K=c3=a4rst?= <stefan.kaerst@web.de>
To: doh@ietf.org
Message-ID: <9a46b7a7-c964-c4e0-231f-6a5c39387163@web.de>
Date: Mon, 28 Jun 2021 12:52:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="v6qvFMP7Sy2lm2zjJE7BY6IjoVZs9FGxl"
X-Provags-ID: V03:K1:fnEV/JnZkoiV+Iq8D4HMXc2GYcAuRVkkQV3si0BnCk0aPXPGcxD goIOlfgNGiZXKSOtn9X6EgYUKMZzPLUTkSRHoVh6hvyTvBsaBQ5CisMork5OEzTu+5hxOhS DjyfqGj8UTe9ZwKqv3JTE7gzx8xW7uqZVoG3N8jFyE+t9xdDnRwFZWz2rwA7SwSYx6IIEoB UiClw+lsPuwU+0qT1LI+Q==
X-UI-Out-Filterresults: notjunk:1;V03:K0:bOGWoLQ5UC4=:4FADSEipPhGiewGeNYMBaF DjMJzGJNZezRv0b/04sFWov/IELvco/KORSGqNl7cJj4sTsg1V9m6JEGPJ6Vhfh504N4+y35W 4odK+byv8FX8R5lP+Tc4dAZRMi2k4OVM0r0tJh333r6alVpsu7N9PHRohQ4NFhwMnSHVtPKJQ kh34U0K4s5O3DvqbfLgUWPc/gSiZg/hU8PZV6XXJ7WIfDtzkEG0lMPf6euOGa+sgQT7VS9IvZ W1t2JAYD2Q2mmzkC0MtqELp0SZoJ/SdRnV/yL/oH6Z0qXwvCeXIYlIV0vVJ4XAh9nhvgm3y9P 9acgGHSBWlZBNaFVzqhGcRdEkca48TjshlqL4MCwShT+EFTrf70tgFm9oZVIHoXSuNWkJdszL dI9cdYJsO1egF2ftlbYp67r5db7YOMCu29pxDa5Rbdio6yUS5htC8HFsZa/Xcw1gC0gG89/T9 cXtaiGjQNerVFmRVoIKVl8BsDQwwJsXQXHGd7l3l3hdXgY0JNSHTXzqlOFXYYUraFH4qfQpDL PDjl+WXuzOnpf+rsx01dsQFztxI0DPBsKLukpkMBv3OszhboeFYlT2rY/79gFTlTErmdpYs1l melVNH3DZiqruELiRWH7M4nNPRfU/ETCiSFGtlbfkAlSaOmf1NSXsat9VghrCPNfy6bKjxix7 5uv5hBjZoFAHDKZ3I8WnJax4kLrijlcE7w1whOQoWxm5nr/Ny4dwumiCPYks/Nq7CkYEz2bQB /dpQWDDrk7QQnxmqaD7Qgw0wP9clMwWxPv3gMU691X/pD+RAGpHJ/mx/Zwq2DO5hGUAXXI7QM +IPW1lUUWFe1z5MUIWTkySAFjfyAgnyjwvisRerPTwmjRITdWYlakmlNwiBK4dlOOhUk/ml3i lAWaGA6X5AjjmmEqQ6Ovsn8psY5dC4pEKarNRjhDMCL7KcunizdLhRCLraA4QrdbZ5MkL19GH yfq+zdfPF+eP5yVwuXaz6YOfIkhwIIFLBV4exRbjNrxNVJ8+jWmO7OcRi9/0GrRbS/Lp+oza8 pbYJFF63J6DK0OfxU3NIS7mfHsa+SMwt7Z/yLVN8ZIM/3CHHr109tHkjyQPcH3+mk8mRgDVvN DhoBecjnkqW/QCtXkQySdcWPA2MezG4LKUr
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/j5gVZm8uzxRHipZLXoZ29RY2up4>
X-Mailman-Approved-At: Thu, 01 Jul 2021 15:24:45 -0700
Subject: [Doh] comments to DoH/RFC8484
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 03:01:14 -0000

hi Team,

I'd like to add some personal thoughts about RFC8484

I'm working as an system administrator for quite a long time now. I 
started working in IT in 1991.

part of my daily work is to analyse problems regarding applications 
running on GNU/Linux, either as VMs, bare metal or within clouds and/or 
containers. based on my experience half of all problems are caused by 
network issues including DNS.

because of this it is important for me to be able to reproduce problems 
and collect data to support customers. one of these tasks include 
querying DNS. whether on the customers machines or on my own. as DNS is 
an open globally distributed system, I can be sure to get the same 
answers as applications/computers at the customers site are using.

DoH not only breaks protocol layering. It makes our work useless in 
terms of reproducing the data applications use. this is as bad as 
caching of IP addresses within applications.

both things do not belong into any application. IMHO
there are dns resolvers and caching services like nscd available for 
both purposes.

as application use encrypted communication, we cannot check the (meta) 
data and provide any kind of support if things do not work. even if DNS 
would be encrypted .. it still is an open system so I can get the same 
answers as any software would use.
any software that works as a monolithic black box is a nightmare for 
system administrators.

I really hope you drop DoH in favour of DNS over TLS. with DNSSEC and 
DANE there are standards available that make more sense in terms of 
enhancing DNS rather than reinventing the wheel and put things into 
application for what the operation system is meant to be responsible.

I wish you could use your powers to promote DNS over TLS to keep DNS an 
open distributed system for all! (except you are working for the Chinese 
or Russian government and wish to make such services a secret to anybody ;)

IMHO DoH has aspects of "security through obscurity" ;)  I cannot see 
any advatage in DoH.


HTH
Kind Regards!
greetings from germany
Stefan Kärst


https://en.wikipedia.org/wiki/Communication_protocol#Protocol_layering
https://en.wikipedia.org/wiki/Security_through_obscurity