Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-reid-doh-operator

Patrick McManus <> Sun, 24 March 2019 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 287D5120110 for <>; Sun, 24 Mar 2019 14:04:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=i3FRKsTu; dkim=pass (2048-bit key) header.b=XkbbF0OY
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pYo4WC93mXNg for <>; Sun, 24 Mar 2019 14:04:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B0E0120106 for <>; Sun, 24 Mar 2019 14:04:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553461459; cv=none;; s=arc-outbound20181012; b=p6nSeAU9LVbGQ5asxSZCm5AmTadMdEzxm4i3toII+XYoU1jMBRK0ssOdbYte9q/KDVQlADJS5dAiK sVMN6IPMuRmAr5/TEE2MwgR8sfAo087okGtAYExgVVVA3cb3k1pNH6PD9gwSFUZPpYYSpMuHxv3EG2 75dFC1dIiHNUydjB6bLCPB86ofWChn0d/M2udbeiugVAIX0JhcZz8ZMg/rzRMxpH448KfaGNpkCDOm DRhBxdRgPsl4//8LqluAI1W1LCyDP5bbeWOq7apD47rOiaKLTfNgU3eQ5Wyb6DWNC3BPoXVykjsYJj wW+mR6fXrmkH4iwUWDMdlm0RrPyAvCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=GJkxZG/5c/CsckdelSQ9oM3bPr/dd/Gr4X3/Gky+GfAcPS+7KnSxmwVZMVSi/Sg2cqMix/V7eZrdL XJ8QuknOP+imRGQSn+zbYaB/lBlEo3RtXcz0z3dAFzm1I/xQKaUnxFaJdFDFZioojWaRbPCgC6rQyU 6hPiODfPbmGmRRV6pcrhM6B7mRXVHC3to+MaqHCrTrf8STkFsXh8PWPLN6mk9ITx4OJ5+8PSOXTWXQ a7mHVJ1A4RO5lB4v71trFfEhgFWC4wM0ZcZIeCVYc5L/LyJjzrEfDvmDwX3tgkT6mGPEsePu9ae/c3 0kxNWqFTVv+PAi/eEBKGzCrAetqcXYA==
ARC-Authentication-Results: i=1;; spf=pass smtp.remote-ip=; dmarc=none; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=i3FRKsTuF/NZddtbqUDN2jQtSiu6wQZ4pBQr0yy9WEDUzSGJKHrRu0IGcGeCmxbxmuehmSXqX0mRf lshxw4/3kU89obg5DjhI1duQouRpr8dk0eIKQiymE1L2LRlxZuZ8bVqxXEXc/z+MiC7DQ4RGU9Zk8z NMtJ2ATkEi4odXMA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=357iTNs36rTGE4FAdb1limkEs0KPXKwV8LOZCXvJWgw=; b=XkbbF0OYQJG1sAybniLPoaBzr+O6BA6WhTYKCad3+cQvvcTYP3R/qQw+QckbGz82NqoctW/LevnBP bDLYAw7Eb72GgCUBolgJzmL6YopJDEfjPU6Dn4vJ9XIrNrmDMy2DGV8Qj9VhYU5JE2RuVMk4vYjeFK ZkGPP4PYXhNdcOwSDJxVZCn/1qLvKkgA52Qo876wc6C3HyyVe554EQ+iBeF28FPmDors+FCyC9peeO fj7a0pLPzAJHoNG55zBidPHx3RRh1z6FytXFHQwf1cLLbvAyd5k1zFPDJLGVTMvmp8SNGXUcm5GIU+ 1qoZSZVXYjm0tjdkkQ0fUhQoNBND6gg==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 62007c33-4e78-11e9-908b-352056dbf2de
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from (unknown []) by (Halon) with ESMTPSA id 62007c33-4e78-11e9-908b-352056dbf2de; Sun, 24 Mar 2019 21:04:16 +0000 (UTC)
Received: by with SMTP id t206so5434814oib.3; Sun, 24 Mar 2019 14:04:16 -0700 (PDT)
X-Gm-Message-State: APjAAAXLve2G2PxPCFoebBhseFZfsyaOh0e+ZsJAzpwcnqj+03IIH71f T1fAOivtC+6SFWjliQwBYSkqHcZ/aQXXJycNJdM=
X-Google-Smtp-Source: APXvYqy8x7aKxA2VK/QNAV4XdhOFRkMKY0Z6SpVgYJ7mle8tt01S7e6tiQ/EiZRsnCzp8L7crtvDsWMNwovQK7OmaPo=
X-Received: by 2002:aca:4142:: with SMTP id o63mr9573899oia.58.1553461455595; Sun, 24 Mar 2019 14:04:15 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Patrick McManus <>
Date: Sun, 24 Mar 2019 22:04:04 +0100
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: Patrick McManus <>
Cc: "Winfield, Alister" <>, "" <>, Eric Rescorla <>, "" <>, "" <>, "" <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000003baeca0584dd6ed2"
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Mar 2019 21:04:24 -0000

I want to add one thought to the general argument that goes along the lines
of "I need to enforce a policy on my network, and doh will just encourage
more https interception - we have gotten nowhere."

This argument assumes a scenario where the network is trusted by the
application and can require/achieve host or application configuration.
Indeed - deploying trust anchors to these clients is the only way you're
going to intercept https as the notion of network defined configuration of
"trusted proxies" and the like is consistently rejected by clients. That
seems like the right standard for DNS as well - go ahead and configure a
different policy but do it via an existing authenticated configuration
mechanism like you would use for adding a trust root.

However, rather than adding a root I would suggest that if you're doing
client configuration for network-local DNS policy, that you deploy a DoH
server that enforces that policy and point DoH clients at it through the
various enterprise config mechanisms. It doesn't require any kind of access
that adding a trust root does not. This has the desirable property that the
application can reliably know what server is providing DNS service in a
fully authenticated way. Perhaps in a "my way or the highway" scenario it
will choose the highway. That's fair enough - that should be a real
choice.  When you just intercept an informed decision cannot be

Use of non-default trust roots is also a property generally visible to
applications. Most allow it as a matter of user configuration.