Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Christian Huitema <huitema@huitema.net> Fri, 22 March 2019 03:43 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500E0130DC2 for <doh@ietfa.amsl.com>; Thu, 21 Mar 2019 20:43:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmpHBR_0zpK1 for <doh@ietfa.amsl.com>; Thu, 21 Mar 2019 20:43:50 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52755130E64 for <doh@ietf.org>; Thu, 21 Mar 2019 20:43:50 -0700 (PDT)
Received: from xsmtp31.mail2web.com ([168.144.250.234] helo=xsmtp11.mail2web.com) by mx128.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1h7B5w-0011Vc-QT for doh@ietf.org; Fri, 22 Mar 2019 04:43:49 +0100
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp11.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1h7B2w-00043X-FO for doh@ietf.org; Thu, 21 Mar 2019 23:43:47 -0400
Received: (qmail 27108 invoked from network); 22 Mar 2019 03:40:36 -0000
Received: from unknown (HELO [26.250.239.147]) (Authenticated-user:_huitema@huitema.net@[172.56.30.8]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>; 22 Mar 2019 03:40:36 -0000
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <yblh8bv95l0.fsf@w7.hardakers.net>
Date: Fri, 22 Mar 2019 04:40:31 +0100
Cc: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>, DoH WG <doh@ietf.org>, Joe Abley <jabley@hopcount.ca>
Content-Transfer-Encoding: quoted-printable
Message-Id: <04C556AF-D3B3-41A5-B119-8FE5F81FB9A7@huitema.net>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <91A0BBD0-CB73-498E-B4E0-57C7E5ABE0B4@hopcount.ca> <2145465817.5147.1553119548565@appsuite.open-xchange.com> <yblh8bv95l0.fsf@w7.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Originating-IP: 168.144.250.234
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.17)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5haVFYBcslj+yaxjmg2gcfx602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO25BUjnzxeaqnrPDaA78u19VMZsRZacTbJPGp/MBC6BxQ6T5rHcDXTNHEfrrCXMGtkh5 mNm/WjPqhYqCeBiCKwwnRtk/d5gNfEtjtud5V8jpiaCVHNB1k1ihcHciE5ixJx/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8l4YBmPrqPoeRXD34azf1rYZv5uZUEePrXZkexHL9EC3AAJAfA 9MMVcQ9WVjD1q+Rbd9IPG/DQ2p+GU04sTuYFs91jhnM/Mbva2XLV/LIEzaKyLm0zESXAkIAT8ZKA DvsGI5uh86ZVnyOrYkLMWyEaRt9fxN2oReTDHAyOynaY0CmHJLVH4DfVNbPXJmiLfub/IRFsicyJ MEhQFtD8PLoiniWmsFByBoXAuCZEyg59LM/9rUJrEbVA84BZVscMTXpbpuxXJTL417vaJWq5kk+j cuidX4Ts4xdG+C13IyWeZaJu1FKs5TGF0HQNGKdqWSmvPwUimsNGvJJilSn4u6QSZPjekIloWmwS rmYcRUiwoI4s95DGoDQyh90npG6wuAU16Y3oZJdQ0WXQEIKhyt8GANo5bn0tFTz4SVUdCy2MVE6+ P+NMWgh0hdHFCOgNkMJ392PNDpgLsd6Ddd/s7VM53qJ/6IMS6dQ3kd+UR7sHsZfAMgFPp7+h3kLe NmBV53UGhP4LU6IC9lJiuxW4FU9fkezM77XYWrKxEfrWjonGLqxRXxKF5tPxTxfD0dMN+t5ZP6zO upSxHMPsAHfGhZAC/H/F9n7vBiJVyH1aslqSF4coR+PypV5Z5Sfz/IlJBgJ68rMgFGxC0xSok+fi i+Mknt40eTXlWiUAYdLmsJdAoPJHNvQfAjIDptXbNSradnS0Zqm0mOdPl1LeUTNmkYtBTuxv0/1e /nzlq13wYTxncOSJHdsd+cwIgRT6euCWiMrA+4FHNKsiy9wMVtQ6ai8zTQ==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/qKHWk-f6i2S7Nzh3F553UPtVsyA>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 03:43:51 -0000

 

> On Mar 22, 2019, at 12:21 AM, Wes Hardaker <wjhns1@hardakers.net> wrote:
> 
> If DNS privacy is a goal, systems and applications SHOULD use DNS over
> TLS to encrypt traffic to their local resolver if possible (unless the
> system and application distrusts the local resolver infrastructure).

Maybe we should start by defining DNS Privacy. There are two issues: using an encrypted transport; and, using a DNS resolver trusted to respect the privacy of queries. Both are necessary. One without the other makes little sense.

Much of the debate is on the second point. One position is that users should be forced to trust the DNS resolver provided by the local infrastructure. Another position is that users have the right to apply their own policy and decide which server they will trust, based on some configuration.

-- Christian Huitema