Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Matthew Pounsett <> Tue, 19 March 2019 00:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D876130EA0 for <>; Mon, 18 Mar 2019 17:50:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Kb6Bgw29CI-O for <>; Mon, 18 Mar 2019 17:50:27 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E107C130E62 for <>; Mon, 18 Mar 2019 17:50:26 -0700 (PDT)
Received: by with SMTP id x4so16205874ion.2 for <>; Mon, 18 Mar 2019 17:50:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=osbGCx9CTwW1EEJmPFdOVofldFUdch/krTEjk7gTiME=; b=r0OaS9bYEgctR/49m6rwvPAl4wbTIuuDV0hLBv8xH+LOf27Drl8/c94jRsxK+KFlKJ D2T3bL72dQaGu16ecMWNHPv+xUvOfsjtgfUgHne5z0MX9zSqJW7O/OcLMj69s/ZW09FP dUtyqCLwzUdW8+Rq4uFI8iMTs2EkJ5WLF5NZjFlxNwKJXHMUKhbvrax71rnuQMBJTAMY K967vp4IHMzvDFTZjquv0GH8J99IoLbkBTjHe/3s2ZpRE0lj9WNkhUbk1ShZXcvUJcHI BXPLnV90eCoxIgk7OrsyHGW5s04jaxdbFm5XGBh61Y5RBNKA4K9hu0gu+cTSf4mZbc6I OxFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=osbGCx9CTwW1EEJmPFdOVofldFUdch/krTEjk7gTiME=; b=TZat5LZusfF2A8ZpGAJZ/L8MhRNRbgocXYku2v+WwMRfbCAQezawNHKEH6HvTHIlOV fOj6MJP8GbdZkoPuIKUjO+236vYAz7Wo+qRl35UEKVeGv24Dcd1tny62y4ffbeVP5VUr 1JhdfANR4VSRkhUgybI9qiIXOaKJ40NgfIF2lmBr+l2w7ZaHazuHSXeNaTQhHQylPS9W J+hgsbfjyAkLix9WfT+2HbIstvIJnq0ZPHJiBDoVmj8oqdIx9ZLhCMxG0y2tHKWNvH3E fFvAOKn23I0hYdF7KcsSjbEJiGK5hQI2XEYbZjCNUvRZKS+NuY2CZ1Rp+RVrfRQ6t7Rx BK5w==
X-Gm-Message-State: APjAAAXZwog1HhV37jDDZAfpHo97JW0XwnXlwbuoR8bQQc/bm3oppGo3 uVWbIXfZBjtj1yMYgpzpoClPm+J93+FvwcDMeAjHjg==
X-Google-Smtp-Source: APXvYqxM3o6nAQgYe21w/vdTMs3wVvn07JdnFeJHAgdVKm3mXAfvtCTyqKzF+AMZU0EosOJouRJBpFY0tQ1ocAA9+6E=
X-Received: by 2002:a6b:ec15:: with SMTP id c21mr13919943ioh.152.1552956626040; Mon, 18 Mar 2019 17:50:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <>
In-Reply-To: <>
From: Matthew Pounsett <>
Date: Mon, 18 Mar 2019 20:50:15 -0400
Message-ID: <>
To: Ted Hardie <>
Cc: Paul Vixie <>, dnsop <>, DoH WG <>
Content-Type: multipart/alternative; boundary="0000000000000c0ee0058467e46a"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Mar 2019 00:50:29 -0000

On Fri, 15 Mar 2019 at 14:37, Ted Hardie <> wrote:

>> The past five years have not been the IETF seeking to become a king or
> king-maker.  They have been spent responding to an attack while still
> building out the facilities of the network.  I am glad to find you a ready
> participant now, as there is still work to be done.  But I do not believe
> we have said that you may not have these facilities; the new methods simply
> mean you must have a relationship with the users and devices on your
> network sufficient to effect configuration to use them.  An on-path
> adversary does not, but you do.  Yes, that adds a step and some complexity,
> but dealing with a new class of attack was never likely to be free.

This, again, conflates users with attackers.

I'm going to take a stab at restating the positions of several people in
this thread, Paul included, because it really seems like the argument is
not understood.

I have a relationship with my users and I can control the configuration of
their *known* applications.  I do not have a relationship with the malware
author that is trying to steal their data, and cannot control the
configuration of that (unknown) application.  By running DoT on my borders
and blocking all other DNS and DoT traffic, I can provide privacy for my
users while still preventing malware from doing its thing.  With DoH
available at endpoints that my users want to reach using some other
application, it is orders of magnitude more complex for me to block the
malware while still allowing my users to reach those endpoints.  Phrased
another way, a DoH endpoint at the same IP address as a popular website
gives malware the ability to resolve names I was previously able to
prevent.  The only recourse I know of, if DoH is adopted, is to proxy all
traffic toward that example site (including requiring me to engage in a
MitM decryption attack on my users' web traffic) in order to continue to
prevent that malware from circumventing network security.  And because I
can't predict which web sites will launch their own DoH endpoints, that
means I need to proxy (and decrypt) all web traffic in order to maintain
the same level of security I can today.

Somewhere up-thread it was suggested that there are other reasonable steps
that a network/security operator can take to maintain the controls over
resolution that we have today, but so far I haven't seen them enumerated