Re: [Doh] DOH and split DNS

Eliot Lear <lear@cisco.com> Thu, 09 November 2017 11:06 UTC

Return-Path: <lear@cisco.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D746812F3D0 for <doh@ietfa.amsl.com>; Thu, 9 Nov 2017 03:06:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4a85NTWd7IO for <doh@ietfa.amsl.com>; Thu, 9 Nov 2017 03:06:09 -0800 (PST)
Received: from bgl-iport-2.cisco.com (bgl-iport-2.cisco.com [72.163.197.26]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F8C12EC8E for <doh@ietf.org>; Thu, 9 Nov 2017 03:06:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3147; q=dns/txt; s=iport; t=1510225569; x=1511435169; h=subject:to:references:from:message-id:date:mime-version: in-reply-to; bh=zbKxuLmG1joCgB4xPtlVPmvPZMJi9cfVTF4+6xj8XXo=; b=SxgRAewNiBEjW1Beiyjk4mcN8eLPV343K3L8CPZMM3h1O4Y6SdnnhAe1 wsuCxeukB3mN8uynuFHZLkNcBlEpBMbHaz09OE0UyQ+JF1orXOKYt0Sqs CRHpLN8TA1uI0Za7WMejpXy0XKHa5lBCV6vP9xWT4wea5NReXS1K2Phdk o=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0COAADHNQRa/xjFo0hcGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYUGhCSKH3SQL5ZNEIIBBwOFOwKFARgBAQEBAQEBAQFrKIUfAQU?= =?us-ascii?q?jZgsOCioCAlcGAQoCCAEBih+pVIInixUBAQEBAQEEAQEBAQEBAQERD4MwhW2DA?= =?us-ascii?q?YRaJoMrgmMFkWGBEo8nhEOCI44Yi3mHP5YhgTkfOIFxNCEIHRWDLoRmOYxAAQE?= =?us-ascii?q?B?=
X-IronPort-AV: E=Sophos;i="5.44,369,1505779200"; d="asc'?scan'208";a="78753363"
Received: from vla196-nat.cisco.com (HELO bgl-core-3.cisco.com) ([72.163.197.24]) by bgl-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Nov 2017 11:06:05 +0000
Received: from [10.232.4.170] ([10.232.4.170]) by bgl-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id vA9B65nY028558; Thu, 9 Nov 2017 11:06:05 GMT
To: Andrew Sullivan <ajs@anvilwalrusden.com>, doh@ietf.org
References: <C7B43C35-55DE-41FE-BE66-5D7BBDB6FC9A@vpnc.org> <644FB18C-3B6A-4DF2-88C9-31A0C870055D@mnot.net> <20171106120014.ybhkqptllbx75vsg@mx4.yitter.info>
From: Eliot Lear <lear@cisco.com>
Message-ID: <a684d115-b5e8-26b3-9d3a-96fb4a29b508@cisco.com>
Date: Thu, 9 Nov 2017 16:35:54 +0530
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171106120014.ybhkqptllbx75vsg@mx4.yitter.info>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QQsFSLEb6novaOe4LNk92xsHiEu1kvRIO"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/yQ44kj20AgGoFpn1_IZcZ7fTh3Y>
Subject: Re: [Doh] DOH and split DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2017 11:06:11 -0000


On 11/6/17 5:30 PM, Andrew Sullivan wrote:
> On Mon, Nov 06, 2017 at 11:13:19AM +1100, Mark Nottingham wrote:
>>  Some careful wording around the configuration mechanism should help.
>>
>> Allowing something like proxy.pac to override DOH doesn't make any sense, given that the primary purpose of DOH is to NOT allow the local network to impose policy on communication with the DNS server.
>>
> That careful wording had better be pretty careful.  I don't believe
> for an instant that most users have a workable theory for which
> resolution mechanism they're using, and if they configure DOH and
> suddenly all the "internal sites" don't work they're going to be
> pretty surprised.
>
> It strikes me as pretty strange, too, to suggest that, if a user
> configures proxy.pac, they don't want the local network to offer such
> policies.  If the user is prepared to use the proxy, presumably the
> user is prepared to use it to impose local policy, no?
>

That was my thinking, but I will add that this needs some more
thinking.  proxy.pac files can contain many things to match off of, and
if it's an IP address range, it won't be useful.  If it's a domain name
or wildcard (like .mydomain.example.com) then perhaps so.  Also, there
are some corner cases when it might not work- in some environments a
proxy may be required internally.  As such, when something is not
"direct" it might still be within one side of a split DNS fence, as it
were, and so the proxy.pac file would give the wrong answer. 

Eliot