Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Ted Hardie <> Tue, 12 March 2019 20:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11998131192; Tue, 12 Mar 2019 13:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0qiFDUoodKTX; Tue, 12 Mar 2019 13:52:55 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 250BE13119D; Tue, 12 Mar 2019 13:52:55 -0700 (PDT)
Received: by with SMTP id f6so3384156iop.3; Tue, 12 Mar 2019 13:52:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8uH74dwKq3luot1c08dsoo/wGRBhptHqxMOb9b3SuKE=; b=OmAbfMAa9zbJNy3DeFuHzcxkuNhJy6I5qPGoarOrfYaJ+7nA5Ierb5wSW5Q8+zdJSM zJ8AWSjZ//tvOOjbXDiAOERatxdKz1fhDqoNWmfsGS94RZrvSqheogyyz3T1VLGqQfXY hcpXDEPFUGdm/vxH8mRQOfm7OW9V2ksyb2A6kiFHw3iOrHO+b0EWaS9QoNAn/8wjzwu4 u7FtUueSbouvuaveEXBOXGhXMb9XAf5B4Sjx+LPzzNuqdQosBr45Mo9aXmSLM98TmogX 63DsV5WHYqyLiZX6oH0SaPHSSo2UlHaVpdH5WwFTZEssj0WMG0+wh9KnphMcn7KdNnZc ZM6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8uH74dwKq3luot1c08dsoo/wGRBhptHqxMOb9b3SuKE=; b=bFSdZtuxTdUTXUH2eWkvyUA502pr/eLhrDSHtgkkIehKwpno6Y5gHnN7A59t5tPgpF Vgp0H2vkaCUfqBrWHZdXEitoplQyS/vOxm/EqZ2X7tqHhhQEIncAxgZ06AG9WC6487WH C6F4XlWBjruuzOse/HjPS5thIeOaqZwMNA3bIz7Jzd93fLJy0CaEDuxDLrIci5qVLUUD n96jH7hsEEItgU1IQzljeU80Mf9icKNC3P3KC8qYKHnLUsavtf4/iob416MebitDDpsY njDkp4ZBpFPmpPCwgsC6v3QscjRp1a4zvebJ2DktrvDMlyLzqQL7rVwNBi0ld1ArL1Hf zGfw==
X-Gm-Message-State: APjAAAW1CBpsSggOiOeq5ohQIZ82c5dzYiSWaOCkFo0h1xAQFWDdwQwZ kDA75PdrcKpDjCNs9reBlJJTwhvTfqKhlVATO3hrHMhxcOk=
X-Google-Smtp-Source: APXvYqxiEN5URCVuSS+o06pI5ACDA2kRcNCONQiH84ArfOGikirQt2ULduEkKhwm3ozuvK6Z2yKI6aitkewJ0BD3l3I=
X-Received: by 2002:a6b:abc2:: with SMTP id u185mr22429856ioe.145.1552423974167; Tue, 12 Mar 2019 13:52:54 -0700 (PDT)
MIME-Version: 1.0
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj>
In-Reply-To: <1914607.BasjITR8KA@linux-9daj>
From: Ted Hardie <>
Date: Tue, 12 Mar 2019 13:52:27 -0700
Message-ID: <>
To: Paul Vixie <>
Cc: dnsop <>, DoH WG <>
Content-Type: multipart/alternative; boundary="0000000000008568b90583ebdfdb"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2019 20:53:03 -0000


Since it is apparent our disagreement is at a more fundamental level, I
will make only two further comments.

The first is that you recently chided someone for using the word "rant",
saying that it would "diminish and disrespect" someone's words.  In the
note below you use terms like "warfare" to characterize the work of the
authors; that is both inflammatory and disrespectful.  The authors worked
on a chartered working group item throughout the IETF process.  You
disagree with the security trade-offs made in the chartering and execution
of that work, and discussion of that disagreement will hopefully be
fruitful.  But  if you want their respect of your opinion, according them
the respect due theirs will go a long way; they did not make these choices

My second comment is to point out that the IETF has been heading this way
for about five years now.  The IAB formalized its early support of this
approach in November of 2014 with this text:

The IAB urges protocol designers to design for confidential operation by
default.  We strongly encourage developers to include encryption in their
implementations, and to make them encrypted by default.  We similarly
encourage network and service operators to deploy encryption where it is
not yet deployed, and we urge firewall policy administrators to permit
encrypted traffic.

We believe that each of these changes will help restore the trust users
must have in the Internet.  We acknowledge that this will take time and
trouble, though we believe recent successes in content delivery networks,
messaging, and Internet application deployments demonstrate the feasibility
of this migration.  We also acknowledge that many network operations
activities today, from traffic management and intrusion detection to spam
prevention and policy enforcement, assume access to cleartext payload.  For
many of these activities there are no solutions yet, but the IAB will work
with those affected to foster development of new approaches for these
activities which allow us to move to an Internet where traffic is
confidential by default.
By that point, the IETF working groups were already in formation.  Moving
the DNS toward encryption has been going on since DPRIVE and has been
accompanied by the rise of transports like QUIC which are encrypted by
default.  You have been working around that, rather than developing new
practices.  I invite you instead to consider how you can accomplish what
you need to in an Internet where all traffic is confidential.  Enterprises
are currently doing that via managed software and environments, and that
approach seems to be well in-line with your practices below.  Using
resolution systems for this will not accomplish what you need now, nor will
it do so going forward; it is time for a different approach, rather than
seeking to return to cleartext.

The situation that moved this community to that stance was well-laid out in
IETF 88.  We must acknowledge that not all devices which are on-path are
controlled by entities known to the user or network operator and not all of
them are acting in the interests of those parties.  Protecting against that
threat requires us to change our ways.  Please help, rather than working
around the effort.


Ted Hardie
(wearing no hats)

On Tue, Mar 12, 2019 at 1:22 PM Paul Vixie <> wrote:

> On Tuesday, 12 March 2019 19:15:16 UTC Ted Hardie wrote:
> > ...
> > > that's precisely the goal, because very few network operators can
> > > preordain the users and apps that will connect through their networks.
> >
> > I do not believe this goal is met by what you describe, since an
> > application can use a proprietary resolution service in its flows.
> rogue flows have their own accounting. my problem isn't with one-off's,
> because traditional security is anomaly-based. DoH, by folding control
> plane
> data into previously non-anomalous flows, presents a new problem. if CF
> and G
> and IBM and Cisco decide to offer DoH on the same IP address that they
> offer
> API's and services i actually do need or want to permit, i'm going to have
> to
> increase my investment.
> this equation, where something is created which is a danger to me, which
> blends in with the crowd of things that are not dangerous to me, is the
> method
> by which DoH achieves its stated aim, "prevent on-path interference in DNS
> operations." all war is economics. they are increasing my costs,
> deliberately.
> i am on-path and i intend to interfere. at whatever cost that may be. i
> also
> reserve the right to re-externalize some or all of those new imposed costs.
> > Imagine for a moment an application on a smart TV that wants to provide
> > content from the closest server which contains that content.  ...
> Blocking
> > destinations for which you have seen no resolution events will work for a
> > subset of these cases, but it won't work when the resolution points to a
> > common CDN destination.  That approach will, of course, also have a wide
> > variety of failure modes when the resolution event data is incomplete for
> > timing or other reasons; it will also block all of the flows which MUD
> > would handle.
> generally speaking, security policies break down into two categories.
> allow
> all except some, or deny all except some. which one an operator chooses
> will
> depend on their goals, budgets, and in particular, the cost of anomaly
> detection. it's the change in cost of anomaly detection, deliberately
> intended
> by the authors of RFC 8484, which is at the root of some very expensive
> policy
> choices that the rest of us must now make.
> your smart-tv example is not involved in that causalality path. noting
> also, i
> have a TV which offers the kind of feature you describe, but only if i
> accept
> its software license. (something to do with GDPR, i suspect.) so i did not
> accept that license, and as a result, i have a disconnected device whose
> flaws, both now known and not yet known, will pose no threats here. my TV,
> my
> rules.
> > > to the extent that monitoring ('dnstap') and controlling (DNS RPZ) dns
> > > lookups by connected users and apps is considered a vital local
> security
> > > policy, attempts at such "pass through" must be made to fail.
> > Those are security mechanisms, rather than policy, and it may be worth
> > teasing apart what the actual desired security policy is.  You may find
> > that it is more easily implemented at the routing layer than the
> resolution
> > system in the light of proprietary resolution systems and DoH.
> to be clear, the policy is, "allow all, except some". i implement as much
> of
> this policy as possible at the routing layer, and i do my research on
> proprietary resolution systems to decide whether i can tolerate the risks
> of
> devices which use such things. (so, no nest thermostats here, the TV's are
> not
> smart, and the apple home pods are in their not-logged-in state.)
> it is the standards nature of DoH that amplifies its imposed costs. i
> could
> simply outlaw by IP or port# a proprietary or otherwise bespoke protocol.
> (working out with my kids what online games require what permissions, has
> been
> burdensome on both me and them.) DoH, by _intending to bypass_ network
> operator policy DNS, and my seamlessly hiding in the crowd of TCP/443
> transactions now made indiscernible  by TLS 1.3 and ESNI, is an act of
> economic warfare against all RDNS control plane owners. (deliberately.)
> vixie