Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients

nalini elkins <> Mon, 11 March 2019 04:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 96519130EE6 for <>; Sun, 10 Mar 2019 21:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F_0_bW0GE_wb for <>; Sun, 10 Mar 2019 21:29:18 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 878FB12F19D for <>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
Received: by with SMTP id g80so2773958ljg.6 for <>; Sun, 10 Mar 2019 21:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=fo3obhPTtW7eLhzPE4qOYCV0OTUrrQUdQohUd7cWC5yIXz9g72eDIknpXyI2hGcXXu u0l6221D9ckYvQOzc08SkuB6y4ib58aXUT1Nzey15wIx0qGdFrIMMZQFi0ZiwX1opYTS dcRIp0Ap7kpRgn0O0h8j0tB7COroYZsptn3Q16zOdlZQv/rg8/wSuvF0u16jsHF5biRF wqCBCio6KSupsJz0ykPm5YL6GHm4h5r+P68O92VWwfMq0cmzcSoa6+yeXZDgFe2f9HUE 2CQ9TofCyPWIg3bRizS9jCWSixdS4O4oP+3yQgRCA2BCrBy1Ema8y860a6O2jFWHseEU 76Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bZ8GHngTmbV/D+Ul0BQx34xVx0Xm24zcy2gPspAMfoQ=; b=Kl16dVry6XEr+hvea60VZvqOvxl3qWEOGEJSfjwZ5v0wj2enaFdRuGq9zszMbep0uR eF1tEfK4Kq5JX0+JJUUHlWsaKIZ7hCw/yvQvyoDiVpKkT0FghtHTPMuU3EXFpkyiWhUe CKzeGCMxTT7kgGk81SWU0Lc3gBIY6fklinpH2uVcgfbu+Ry2T52hWpVsDYSpF8kjfyQA advlhOFy3cL+CFTg8BMYKNYgsmeuEjuqYffgFmRmsLqTZ/86XykRFso97pmttzSwUrqL +nIY15QYfDeOwbeOvstwEI7L6Jvo8t7QWrQU/mgG3fMXM/01ghuMgRoFR8b9oxHiRL6g Na/A==
X-Gm-Message-State: APjAAAVig0/PhkfzYjzsl3gMWSD/+9q/Xc8v/NhNjBXzhnGCldd2arue 1Clwy330W11ZUqRDjjdE+qoTV+LsBXJPRt5RLoBPGw==
X-Google-Smtp-Source: APXvYqwj19cYpe++6C+vt6xW4ACzOFCJj8H3QoCLID0bwxXnyB9W9DLKAxWyMu7MoWKIe7KPasNTBXKCf8G3Yrxz+RQ=
X-Received: by 2002:a2e:7a03:: with SMTP id v3mr15426649ljc.22.1552278555537; Sun, 10 Mar 2019 21:29:15 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: nalini elkins <>
Date: Mon, 11 Mar 2019 09:59:11 +0530
Message-ID: <>
To: Christian Huitema <>
Cc:, Vittorio Bertola <>,,, "Ackermann, Michael" <>, Stephen Farrell <>
Content-Type: multipart/alternative; boundary="000000000000e5456b0583ca03c7"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 04:29:21 -0000

BTW, I am reading the draft Tiru et al just posted on DPRIVE about this
issue to see if we have any comments.

> 4) I am using my work laptop on the enterprise network, and
using application-X

This could be an internal application or on the Internet.

Enterprises have connections to:

- Internal LAN / WAN clients

- "Cloud" (much as I dislike the term) applications

- Business partners

- The Internet

Companies also (validly, in my opinion) wish to know if their employees are
going to while they are supposedly doing work and
of course, other sites which people should not be going to during work
time.  If I am paying someone, I expect them to do work that I wish them to

The cloud example gets quite a bit more complex with some architectures
some companies are proposing where there will be a complicated topology on
premises.   Let me check with the enterprise who told me about this & I
will see if I can post the diagram or an explanation of what is planned.
This is a complex problem.

Thank your for your thoughtful consideration of the issues.  Please let me
know if my explanation makes the requirements any clearer.


On Mon, Mar 11, 2019 at 9:44 AM Christian Huitema <>

> On 3/10/2019 8:25 PM, nalini elkins wrote:
> >  > Similarly, putting DNS in user space allows for immediate adoption
> > of DNSSEC and privacy enhancements, even when the operating system or
> > the local network does not support them
> >
> > At enterprises (banks, insurance, etc) on their internal networks,
> > people run their own DNS servers which may resolve for both internal
> > and external sites.
> >
> > We were recently talking to a Fortune 50 company in the United States
> > about what might happen you install a version of the browser which
> > uses DNS-over-HTTPS automatically.  (Clearly, this applies to any
> > variant.)
> >
> > The questions that the Fortune 50 company architect asked were
> > something like this:
> >
> > 1. You mean that DNS could be resolved outside my enterprise?
> >
> > 2. So whoever that is that resolves my DNS sees the pattern and
> > frequency of what sites my company goes to?
> >
> > 3. How do I change this?
> There are a bunch of conflicting requirements here, and it would be good
> to tease out the contradictions. Consider the following cases:
> 1) I am using my phone, and using application-X.
> 2) I am at home, using application-X on my home computer.
> 3) I am using Wi-Fi in a hotel, and using application-X.
> 4) I am using my work laptop on the enterprise network, and using
> application-X
> 5) I am using my work laptop in a hotel, and using application-X
> 6) I am using my work laptop on the network of a customer, and using
> application-X.
> Today, plenty of people claim the right to control how I use the DNS: my
> phone carrier, my ISP at home, the company that got the contract to
> manage the hotel's Wi-Fi, the IT manager for my company's laptop, the IT
> manager for the company that I am visiting. Out of those, there is just
> one scenario for which the claim has some legitimacy: if the company
> pays for my laptop and own the laptop, yes of course it has a legitimate
> claim to control how I am using it. Otherwise, I, the user, get to
> decide. If I like the application's setting better than the network's
> default, then of course I expect those settings to stick.
> -- Christian Huitema

Nalini Elkins
Enterprise Data Center Operators