Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-https
Paul Hoffman <paul.hoffman@icann.org> Wed, 02 May 2018 16:09 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D31112895E for <doh@ietfa.amsl.com>; Wed, 2 May 2018 09:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-h9g6uLRZVR for <doh@ietfa.amsl.com>; Wed, 2 May 2018 09:09:12 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC5911200F1 for <doh@ietf.org>; Wed, 2 May 2018 09:09:12 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 2 May 2018 09:09:11 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Wed, 2 May 2018 09:09:11 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Mark O <Mark.O@ncsc.gov.uk>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Ext] [Doh] WGLC on draft-ietf-doh-dns-over-https
Thread-Index: AQHT4i/nD8tXli9mIEKpyy7H8pe1Qw==
Date: Wed, 02 May 2018 16:09:10 +0000
Message-ID: <3AF88665-5E46-4226-B7BE-082EBA1FE5C5@icann.org>
References: <MMXP123MB094409CCCD7420EF2D60E055D3800@MMXP123MB0944.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <MMXP123MB094409CCCD7420EF2D60E055D3800@MMXP123MB0944.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <1D6C2AA6A71ABF41949D24090F49621B@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/vJuQ6yTHsQSwqc4hcqziEwFiaaA>
Subject: Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-https
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 16:09:14 -0000
On May 2, 2018, at 7:46 AM, Mark O <Mark.O@ncsc.gov.uk> wrote: > > The charter for the DOH working group states that “The working group will analyze the security and privacy issues that could arise from accessing DNS over HTTPS”. It does. However, it does not say that the protocol document has to do so. > I’d like to suggest that the section on Security Considerations of draft-ietf-doh-dns-over-https should include text on the impact on cyber defence. It might be better dealt with in a standalone document. Given that the IETF historically takes at least a year to "agree" on wording relating to this, causing the protocol document to wait for such agreement might be bad. For example, I find some of the wording you proposed to be highly biased towards "middleboxes have a right to inspect". Others might find your wording too weak, and would want more wording along the lines of "security middleboxes already inspect DNS messages, and DOH is preventing that, so DOH hurts security". There are literally thousands of messages on this topic on various IETF mailing lists in the past few years. Further, the wording proposed is as appropriate for DNS-over-TLS as for DOH (with slightly different security and privacy considerations), and thus a separate document that deals with both of them would actually be more helpful than just doing it for DOH. --Paul Hoffman
- [Doh] WGLC on draft-ietf-doh-dns-over-https Ben Schwartz
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Martin Thomson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Martin Thomson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark Nottingham
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Patrick McManus
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark Nottingham
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mark O
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Martin Thomson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Sara Dickinson
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Alexander Mayrhofer
- Re: [Doh] [Ext] WGLC on draft-ietf-doh-dns-over-h… Paul Hoffman
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mateusz Jończyk
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Mateusz Jończyk
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Patrick McManus
- Re: [Doh] WGLC on draft-ietf-doh-dns-over-https Sara Dickinson