Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Reposting to the list what I shared with Richard Bennett earlier. The Google Public DNS privacy policy is at https://developers.google.com/speed/public-dns/privacy. Maybe I should have included a link to it in the earlier email. If you have comments on it, please share. We are following https://t

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

first, thank you for this statement, and for the policies it describes. Puneet Sood wrote on 2019-03-22 15:08: ... As a core principle, Google Public DNS aims to provide a DNS resolver that respects our users’ privacy. Towards that goal, we aim to provide high quality implementations of various

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Stephen Farrell wrote on 2019-03-22 15:36: ... in addition to transport security, things like logging etc. also affect folks' privacy. Not sure if you're aware of it, but there's an effort to craft BCP-like text on that broader topic in a draft [1] in the dprive WG. It'd be great to get your a

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Sat, 23 Mar 2019 at 14:08, Paul Vixie wrote: > Bind9 with no config file now does the right recursive thing, including > dnssec. Knot and unbound and powerdns will not be far behind. We just need > to get the word out, to ISPs, Enterprise, SOHO, and end users of Windows, > macosx, Linux, and B

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Bind9 with no config file now does the right recursive thing, including dnssec. Knot and unbound and powerdns will not be far behind. We just need to get the word out, to ISPs, Enterprise, SOHO, and end users of Windows, macosx, Linux, and BSD. The hard part will be iOS and Android, due to the p

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Fri, Mar 22, 2019 at 12:26:47PM -0700, Paul Vixie wrote: > > > Jared Mauch wrote on 2019-03-22 11:59: > > So my thoughts on this real quick: one of the reasons many people are > > using centralized services like 8.8.8.8 (for example) is its complex > > to run these servers properly. > > i thi

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Eliot Lear writes: > Hi Wes, > > On 22 Mar 2019, at 00:21, Wes Hardaker wrote: > > If DNS privacy is a goal, > > It is a goal. It is not the only goal. There is a tussle here. Let’s > recognize that. Sorry, I knew it was a goal... Just inserted wording to draw attention to it. The w

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

I like it if you would kindly define “privacy” in the context of “a DNS resolver that protects our users’ privacy.” Does that mean hiding their lookups from ISPs who might want to enter the market for targeted ads while using them for your company’s own purposes, or just protecting user queries

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

I like it if you would kindly define “privacy” in the context of “a DNS resolver that protects our users’ privacy.” Does that mean hiding their lookups from ISPs who might want to enter the market for targeted ads while using them for your company’s own purposes, or just protecting user queries

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hiya, On 22/03/2019 22:08, Puneet Sood wrote: > As a core principle, Google Public DNS aims to provide a DNS resolver > that respects our users’ privacy. Towards that goal, we aim to provide > high quality implementations of various DNS transport mechanisms that > our users can use to reach the s

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hello, There has been much discussion in the IETF lists over the impact of using DNS-over-HTTPS (DoH) in a network. We would like to clarify the Google Public DNS position on this topic. The post I am replying to is particularly relevant since it makes some assumptions about the plans of the Googl

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Jared Mauch wrote on 2019-03-22 11:59: So my thoughts on this real quick: one of the reasons many people are using centralized services like 8.8.8.8 (for example) is its complex to run these servers properly. i think those optics are the motive, as you say. however, it is not complex, as yo

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 21, 2019, at 11:29 PM, Brian Dickson > wrote: > > I realize, expressiveness adds complexity. However, it does avoid assumptions > and overloading. > > The main criteria is agreement on client vs server (i.e. standardize this > stuff), and possibly also add the network as another par

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Mar 22, 2019, at 18:35, Paul Vixie wrote: all statements made to date by the india and united kingdom governments have indicated that their plans to support in-country RDNS will not be mandatory, just as canada's (operated by CIRA) is not mandatory. Others here can speak more authoritatively t

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 3/22/19, 3:53 AM, "Doh on behalf of Vittorio Bertola" wrote: > letting each application pick its own default resolver, creates a fragmented > mess of a network [JL] Troubleshooting also becomes potentially more complicated. I can't ask a user to run dig or nslookup and tell me what it says

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Bill Woodcock wrote on 2019-03-22 10:13: On Mar 22, 2019, at 12:53 AM, Vittorio Bertola wrote: If DoH deployment continues this way, I do see some governments - even in Europe - trying to go in that direction, either by mandating the use of in-country resolvers… India has already started

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Ted Lemon wrote on 2019-03-22 04:14: ... I don’t think there’s any reason to use DoH if you trust the local resolver. i'd go further, but i won't, here. instead i'll say, others go further, and say, centralization is nec'y for privacy because it sends queries through a blender, so that dist

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 22, 2019, at 12:53 AM, Vittorio Bertola > wrote: > If DoH deployment continues this way, I do see some governments - even in > Europe - trying to go in that direction, either by mandating the use of > in-country resolvers… India has already started down that path, and it looks like

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Mar 21, 2019, at 6:50 PM, John Levine wrote: > I believe that for DoT, the idea is that the client just probes the > DNS server address on port 853 and uses it if it gets an answer. I > suppose you could try the same thing on port 443 but that seems > riskier. This is a workaround for the abs

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hi Wes, On 22 Mar 2019, at 00:21, Wes Hardaker wrote: > > If DNS privacy is a goal, It is a goal. It is not the only goal. There is a tussle here. Let’s recognize that. Eliot___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/list

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

>> I think this is a mischaracterization of the debate, which actually >> started because of a third position that you don't mention: Mozilla's >> public statement that in the future they will force (or, at least, make as >> a default - clarification requests haven't solved the doubt yet) Firefox >

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 22/03/2019 08:33, Eric Rescorla wrote: I'm not sure where you have attempted to clarify this point (I think we've been clear on this point at https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/) Regardless of what the default is, users will be able to disable DoH. Rega

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Fri, Mar 22, 2019 at 12:53 AM Vittorio Bertola wrote: > > > > Il 22 marzo 2019 alle 4.40 Christian Huitema ha > scritto: > > > > Much of the debate is on the second point. One position is that users > should be forced to trust the DNS resolver provided by the local > infrastructure. Another p

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> Il 22 marzo 2019 alle 4.40 Christian Huitema ha scritto: > > Much of the debate is on the second point. One position is that users should > be forced to trust the DNS resolver provided by the local infrastructure. > Another position is that users have the right to apply their own policy an

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 22, 2019, at 12:21 AM, Wes Hardaker wrote: > > If DNS privacy is a goal, systems and applications SHOULD use DNS over > TLS to encrypt traffic to their local resolver if possible (unless the > system and application distrusts the local resolver infrastructure). Maybe we should start

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Vittorio Bertola writes: > This is actually the recommendation in section 4.6 of my draft :-) And > I agree, it looks like the only possible and reasonable compromise > between the two viewpoints. Another way of stating the preference ordering: If DNS privacy is a goal, systems and applications

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On 21 Mar 2019, at 22:29, Brian Dickson wrote: > >> On Thu, Mar 21, 2019 at 3:03 PM Jacques Latour >> wrote: >> Plus! >> Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC? So >> the local resolver and apps and browsers can go the _appropriate_ name >> resolution reso

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

In article <428d5ff2b5704cdf956a5919e330e...@cira.ca> you write: >Plus! >Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC? I believe that for DoT, the idea is that the client just probes the DNS server address on port 853 and uses it if it gets an answer. I suppose you could

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Thu, Mar 21, 2019 at 3:03 PM Jacques Latour wrote: > Plus! > Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC? So > the local resolver and apps and browsers can go the _appropriate_ name > resolution resource(s) using the protocol of choice. That would be much > simpler f

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Plus! Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC? So the local resolver and apps and browsers can go the _appropriate_ name resolution resource(s) using the protocol of choice. That would be much simpler for default configuration in enterprise and ISP. >From: DNSOP

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> Il 20 marzo 2019 alle 12.38 Joe Abley ha scritto: > > Seems to me that there's a middle ground within sight here. > > Standardise this privacy mechanism, and specify (with reasoning) that it > should be implemented such that the existence of the channel (but not the > content) can be identif

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Wed, 20 Mar 2019 at 07:38, Joe Abley wrote: > [There is actually a proposal at the bottom of this e-mail. Bear with me.] > And it's a good proposal! > > Standardise this privacy mechanism, and specify (with reasoning) that it > should be implemented such that the existence of the channel (b

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

It’s also about DLP and other related topics. There is a deep well here we keep tiptoeing around. Some things are mitigated by enterprise certificates and others are far more tricky. Doing this with DNS helps with that defense in depth. Removing that layer of defense will increase risks on one

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tue, 19 Mar 2019 at 13:45, Ted Hardie wrote: > >> I have a relationship with my users and I can control the configuration >> of their *known* applications. I do not have a relationship with the >> malware author that is trying to steal their data, and cannot control the >> configuration of th

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tue, 19 Mar 2019 at 13:37, Christian Huitema wrote: > > On 3/19/2019 12:50 AM, Eliot Lear wrote: > > On 19 Mar 2019, at 01:50, Matthew Pounsett wrote: > > Somewhere up-thread it was suggested that there are other reasonable steps > that a network/security operator can take to maintain the con

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

It's not what you access, it's what you block, since reverse DNS is not a good solution in this instance, you need to map the DNS block list to it's IP addresses and block those IPs, and readjust based on TTL, you'll end up blocking more stuff than intended, huge mess, but if you can't trust the

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

At Wed, 20 Mar 2019 12:38:05 +0100, Joe Abley wrote: > > Often as an industry we may discuss various solutions that are great for oneself but don’t scale when looking at the big picture. > > I think what we are seeing is the fundamental tension between privacy and control. You need to give up som

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 3/20/19 12:59 PM, Jacques Latour wrote: I'm trying to balance in my mind the requirements to protect the DNS vs. what is happening on the wire, in the end, the browser will connect to an IP address which can be (in most case) mapped to a domain name I don't think this second assertion is

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

c: Ted Hardie ; DoH WG ; dnsop >; paul vixie ; Michael Sinatra >; Stephen Farrell >Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator > > > >> On Mar 19, 2019, at 11:17 PM, Brian Dickson > wrote: >> >> >> >> On Tue, Mar 19, 2019 at 6:42 PM Step

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

[There is actually a proposal at the bottom of this e-mail. Bear with me.] On 20 Mar 2019, at 11:09, Jared Mauch wrote: > Often as an industry we may discuss various solutions that are great for > oneself but don’t scale when looking at the big picture. I think what we are seeing is the fundam

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 19, 2019, at 11:17 PM, Brian Dickson > wrote: > > > > On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell > wrote: > > Hiya, > > One individualistic data point on this sub-topic, and a real point: > > On 20/03/2019 01:13, Jared Mauch wrote: > > My impression is there are people who

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 20/03/2019 05:46, Brian Dickson wrote: > On Tue, Mar 19, 2019 at 8:36 PM Stephen Farrell > wrote: > >> >> >> On 20/03/2019 03:17, Brian Dickson wrote: >> >>> - If a network operator has any policy that is enforceable, ONLY the >>> technical policy enforcement model scales. >> >> My mail was

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tue, Mar 19, 2019 at 8:36 PM Stephen Farrell wrote: > > > On 20/03/2019 03:17, Brian Dickson wrote: > > > - If a network operator has any policy that is enforceable, ONLY the > > technical policy enforcement model scales. > > My mail was about my policy for my home network and explicitly said

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Brian, Thank you for a thoughtful, well-stated, reasonable comment that seeks to achieve compromise with the points of view of all being considered. Nalini On Wed, Mar 20, 2019 at 8:48 AM Brian Dickson wrote: > > > On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell > wrote: > >> >> Hiya, >> >> O

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 20/03/2019 03:17, Brian Dickson wrote: > On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell > wrote: > >> >> Hiya, >> >> One individualistic data point on this sub-topic, and a real point: >> >> On 20/03/2019 01:13, Jared Mauch wrote: >>> My impression is there are people who will not be satisf

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tue, Mar 19, 2019 at 6:42 PM Stephen Farrell wrote: > > Hiya, > > One individualistic data point on this sub-topic, and a real point: > > On 20/03/2019 01:13, Jared Mauch wrote: > > My impression is there are people who will not be satisfied until all > traffic looks > > identical and you have

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Stephen Farrell wrote on 2019-03-19 18:41: Not all policies need to be enforced technically. if some of you were wondering why i've grown silent on this thread, this is an exemplar. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hiya, One individualistic data point on this sub-topic, and a real point: On 20/03/2019 01:13, Jared Mauch wrote: > My impression is there are people who will not be satisfied until all traffic > looks > identical and you have zero way to protect your home, I would be happier if my home emitte

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 15, 2019, at 2:36 PM, Ted Hardie wrote: > > All of the work on encrypted DNS presumes that there is one or more parties > who wishes to observe the flow of traffic to DNS resolvers for the purposes > of surveillance. The conclusion of the IETF after IETF 88 was that there was > a c

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 12, 2019, at 5:52 PM, Michael Sinatra wrote: > > [1] As an example, I am personally and practically opposed to inline TLS > decryption in most enterprises. DoH gives further ammo for security > folks to insist on inline TLS decryption, IMO. DoT, not as much, since > the protocol can

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hi Christian, > On 19 Mar 2019, at 18:37, Christian Huitema wrote: > > > > On 3/19/2019 12:50 AM, Eliot Lear wrote: >>> On 19 Mar 2019, at 01:50, Matthew Pounsett >> > wrote: >>> >>> Somewhere up-thread it was suggested that there are other reasonable steps >>> tha

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hi Matt, Comments in-line. On Mon, Mar 18, 2019 at 5:50 PM Matthew Pounsett wrote: > > > On Fri, 15 Mar 2019 at 14:37, Ted Hardie wrote: > >> >>> The past five years have not been the IETF seeking to become a king or >> king-maker. They have been spent responding to an attack while still >> b

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 3/19/2019 12:50 AM, Eliot Lear wrote: >> On 19 Mar 2019, at 01:50, Matthew Pounsett > > wrote: >> >> Somewhere up-thread it was suggested that there are other reasonable >> steps that a network/security operator can take to maintain the >> controls over resolution tha

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On 19 Mar 2019, at 14:10, Ted Lemon wrote: > > On Mar 19, 2019, at 3:50 AM, Eliot Lear > wrote: >> It might also be possible to whitelist ANSWERs into iptables. I wrote the >> code for that for a dnscap plugin some years ago, and you could even play >> with it if you

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Mar 19, 2019, at 3:50 AM, Eliot Lear wrote: > It might also be possible to whitelist ANSWERs into iptables. I wrote the > code for that for a dnscap plugin some years ago, and you could even play > with it if you want (it’s on GitHub), but I’m not suggesting it’s a good > general answer (it

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Matthew > On 19 Mar 2019, at 01:50, Matthew Pounsett wrote: > > Somewhere up-thread it was suggested that there are other reasonable steps > that a network/security operator can take to maintain the controls over > resolution that we have today, but so far I haven't seen them enumerated > any

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Fri, 15 Mar 2019 at 14:37, Ted Hardie wrote: > >> The past five years have not been the IETF seeking to become a king or > king-maker. They have been spent responding to an attack while still > building out the facilities of the network. I am glad to find you a ready > participant now, as th

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

In article <917068158.3571.1552695623...@appsuite.open-xchange.com> you write: >infrastructure can often be infected, ill-maintained. or hostile by design. >Given the extremely high percentage of users who are now on >the Internet by mobile devices which roam and opportunistically use WiFi, >ign

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Moin! On 15 Mar 2019, at 19:36, Ted Hardie wrote: > As was pointed out in many groups, trusting the local infrastructure is > extremely problematic in nomadic cases as the local infrastructure can > often be infected, ill-maintained. or hostile by design. Given the > extremely high percentage of

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

This has been an excellent discussion, with lots of insightful analysis, examples, and great context. I apologize in advance, but I'd like to pick one particular sentence, to use for teasing out what I think is a foundational issue: On Fri, Mar 15, 2019 at 11:37 AM Ted Hardie wrote: > > This is

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> Il 15 marzo 2019 alle 19.36 Ted Hardie ha scritto: > > As was pointed out in many groups, trusting the local infrastructure is > extremely problematic in nomadic cases as the local infrastructure can often > be infected, ill-maintained. or hostile by design. Given the extremely high >

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 12 Mar 2019, at 20:05, Raymond Burkholder wrote: On 2019-03-12 1:15 p.m., Ted Hardie wrote: that's precisely the goal, because very few network operators can preordain the users and apps that will connect through their networks. but there are more than just network operators.

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Thanks for the thought you've put into this. I've replied in-line. On Fri, Mar 15, 2019 at 12:45 AM Paul Vixie wrote: > On Tuesday, 12 March 2019 20:52:27 UTC Ted Hardie wrote: > > Paul, > > > > Since it is apparent our disagreement is at a more fundamental level, I > > will make only two furth

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tuesday, 12 March 2019 20:52:27 UTC Ted Hardie wrote: > Paul, > > Since it is apparent our disagreement is at a more fundamental level, I > will make only two further comments. ted, your comments were of such a nature that i had to sleep on them more than once before i felt i could re-engage.

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 2019-03-12 2:52 p.m., Ted Hardie wrote: the feasibility of this migration.  We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload.  For many of these ac

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On 2019-03-12 1:15 p.m., Ted Hardie wrote: that's precisely the goal, because very few network operators can preordain the users and apps that will connect through their networks. but there are more than just network operators. There are security people at all levels of organizati

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

I realize you're responding to Paul, but your message below did pique (in a good way) my thinking and the distinction in my mind, as an operator, between DoH and DoT (and other forms of encrypted communication). I am top-posting intentionally because I am responding to your entire message. I supp

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Paul, Since it is apparent our disagreement is at a more fundamental level, I will make only two further comments. The first is that you recently chided someone for using the word "rant", saying that it would "diminish and disrespect" someone's words. In the note below you use terms like "warfar

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Tuesday, 12 March 2019 19:15:16 UTC Ted Hardie wrote: > ... > > that's precisely the goal, because very few network operators can > > preordain the users and apps that will connect through their networks. > > I do not believe this goal is met by what you describe, since an > application can use

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Hi Paul, Comments in-line. On Tue, Mar 12, 2019 at 11:27 AM Paul Vixie wrote: > On Monday, 11 March 2019 18:30:51 UTC Ted Hardie wrote: > > On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie wrote: > > > DoH will moot that approach. > > > > Any system that actually checks the credentials presented by

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Monday, 11 March 2019 18:30:51 UTC Ted Hardie wrote: > On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie wrote: > > DoH will moot that approach. > > Any system that actually checks the credentials presented by the responding > server will also moot that approach. yes! but it will fail "closed". thu

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Mon, Mar 11, 2019 at 11:06 AM Paul Vixie wrote: > > DoH will moot that approach. > Any system that actually checks the credentials presented by the responding server will also moot that approach. Given how easy it is to pin credential characteristics in applications distributed as binaries,

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Ted Hardie wrote on 2019-03-11 10:02: ... no other off-network RDNS is reachable by malware which somehow gets into my network, I interpret this to mean that you have blocked DNS over TLS's well-known port (853), so that Quad 9 and other services offering it are not accessible.  Is

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Sat, Mar 9, 2019 at 11:03 PM Paul Vixie wrote: > > > Warren Kumari wrote on 2019-03-09 22:48: > > [ + DNSOP] > > > > ... > > > > I think it would be very valuable to not conflate DNS-over-HTTPS (the > > protocol) with the "applications might choose to use their own > > resolvers" concerns. > >

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> Il 10 marzo 2019 alle 20.15 Ask Bjørn Hansen ha scritto: > > > > > > > On Mar 9, 2019, at 10:48 PM, Warren Kumari < > war...@kumari.net mailto:war...@kumari.net > wrote: > > > > Also, I think that this topic would be better discussed in the > > DNSOP WG - the DoH

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

> On Mar 9, 2019, at 10:48 PM, Warren Kumari wrote: > > Also, I think that this topic would be better discussed in the DNSOP WG - > the DoH charter (https://datatracker.ietf.org/wg/doh/about/ > ) talks about: > "The primary focus of this working gr

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Sat, Mar 09, 2019 at 11:01:33PM -0800, Paul Vixie wrote a message of 32 lines which said: > i have been away as long as possible, which means i was surprised > that the IESG was willing to allow a document to standardize I'm not surprised, since, in the last years, there have been a strong

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

On Sun, Mar 10, 2019 at 03:48:52PM +0900, Warren Kumari wrote a message of 281 lines which said: > I think it would be very valuable to not conflate DNS-over-HTTPS > (the protocol) with the "applications might choose to use their own > resolvers" concerns. I fully agree. Applications using t

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Warren Kumari wrote on 2019-03-09 22:48: [ + DNSOP] ... I think it would be very valuable to not conflate DNS-over-HTTPS (the protocol) with the "applications might choose to use their own resolvers" concerns. i disagree. as an example: Two primary use cases were considered during th

Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

[ + DNSOP] On Sun, Mar 10, 2019 at 12:31 PM Jim Reid wrote: > FYI colleagues. The draft below has just been submitted. I've been given > 10 minutes of WG agenda time at IETF104. > I haven't given this a full review yet, but I'd like to note that almost all of this is about concerns around appli