I went over this in some detail a while back, but to recap, the point of something like DoH or DoT is to protect the client from eavesdropping. There are three senses in which this can be useful.
- First, that there is a trust relationship between the client and the server, which is validated using PKI. This trust relationship prevents anyone other than the trusted server from seeing the client's queries. - Second, that the client just wants protection from eavesdropping on the local wire, and doesn't actually trust the network operator, but uses the provided DoT or DoH information because it protects from third party eavesdroppers. - Third, the client has a trust relationship with the provider because the provider of the client software configured it that way. What's important about this is that the first and second types of trust relationships are mutually exclusive. If you have the first, that precludes the second. You have to pick which one you want. The third is essentially a special case of the first, but I mention it because people tend to describe them as if they are different. So if you are relying on the first kind of trust relationship, then you can't use DHCP, because you have no trust relationship with DHCP. If you are relying on the second trust relationship, you are assuming that the network operator is competent; otherwise a third party can still eavesdrop on your traffic by providing DHCP service on the local wire. Paul and Bert have talked about why the third kind of trust relationship is problematic. So you have trust relationship one, which has the problems Paul talks about. You have trust relationship two, which has a different set of problems, and is incompatible with trust relationship one. And you have trust relationship three, which is a special case of trust relationship one. The DHCP solution is compatible only with trust relationship two. So if the IETF were to recommend this way of configuring DoH and DoT, we would essentially be throwing away the privacy benefits of DoH and DoT (assuming that such benefits exist). Paul states this as if it's just obvious that when you are connected to a particular network, you have to follow the rules of that network, but this is kind of a special-case argument: Paul runs his network that way, and he gave some examples of other networks that are run that way, but there are also lots of networks that aren't run that way, and as an end user who owns his device and does not live in a country that censors the Internet, I am not willing to have the internet censorship case be the default case. If a device were to treat that as the default case, I would not want to use that device. I will freely admit that this is not clear-cut, but that's really my point. I believe that it is wrong to advance a DHCP-based solution without consensus that we prefer the second trust model, and I don't think such a consensus is attainable. Pursuing a DHCP-based solution without that consensus is simply a way of bypassing the consensus process, in the sense of deciding that there is no need to get consensus on which trust model we prefer before choosing a trust model. On Sun, Aug 19, 2018 at 12:43 PM, Doug Barton <do...@dougbarton.us> wrote: > On 08/18/2018 06:08 PM, Ted Lemon wrote: > >> The thing is that most devices don't connect to just one network. So >> while your devices on your network can certainly trust port 853 on your >> network, when they roam to other networks, they have no reason to trust >> it. If you have devices that never roam to other networks, that's fine, >> but we have to design for the more general case. There's no way with DHCP >> for the device to tell that it's connected to a particular network, other >> than matching IP addresses, which isn't a great idea. >> > > Ted, > > I'd like to turn your question back to you. What threat model are you > protecting the user from by not allowing a DHCP option to use a DOH or DOT > server? > > It seems to me that in the overwhelming majority of cases (near 100%) the > user is going to get their local resolver from the DHCP server, whether > they are on a trusted network (like work or home), or roaming at Eve's > Coffee Shop. > > So either you have a sophisticated user who has preconfigured their own > resolver and ignores the DHCP setting, or you have the typical user who > doesn't understand how any of this stuff works, and therefore has implicit > "trust" regarding the local network and the settings from the DHCP server. > > Given that (and feel free to tell me if I've missed something), what harm > can come to the user if the resolver that they are already trusting can > also be accessed over DOH or DOT? > > Doug > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
