IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Eric Rescorla <ekr@rtfm.com> Wed, 24 July 2019 14:37 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DDF812006D for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G93UhcghIhxQ for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:37:44 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8256312011F for <add@ietf.org>; Wed, 24 Jul 2019 07:37:44 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id c19so32124468lfm.10 for <add@ietf.org>; Wed, 24 Jul 2019 07:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c/AAUvZiJBfC31xUIVEebxabM5Rs93v/4tHf4Wze7Vk=; b=BQ/VcuXFS6KaqGSzbXUWnyQlQ/N81haw75IfkAPTuJ5c+hc+u7ph306MeiToxLjRDT os4Qz2eCg9MD3+awwlSCPrxhXh4xidHPl2xGjk/wWo2yp+ktbfgijLMasc7jlUU9N4Ik cMbRzbNpzi6pwiG/uPILf+SH4lIITk9qS63YJY4/E3/DlXbzxkdUlW3OwUkePL0orhKL ndEPC7GcB/0pGvbKdAKU8M4910STV9AyjUQMKufgk4tYqBzyKyjwjSXMpPE1xU29n43h 5E/0+2RfxrGjxW0Jwu6jb7Mqi3b63wZ2j8I4hu+1kQhr6TvSc3lDLHGkb5ndJ8NswmoM yDCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c/AAUvZiJBfC31xUIVEebxabM5Rs93v/4tHf4Wze7Vk=; b=IKo4hljffOe8AEcSteIJQ7nuC1Khec2RUHUKzyh93/qEmUR/A02cMupy87wtzIxUMA LQddPSe+9ljboHxXznj51hn0Z0jXZjRONT8XZls3WYRvT9yYLY049NKu65NOUMZRHeJg Hb2OYf5AUEvQLuviH2PbbIqkI7UicgUpMUp9sTJdVD9EaacYbbk/x7dl8DxPPowAPHpU Dapm/n+nuWjdHod132mMaQBugXI+e0Bu68vw+aC9pilLYLzfW633IiQ5mcx6t9eHUFY8 jIj73n2505mtmLKK5d0VrsdF9OmN111X1B+u4njy3vdpKgRH5VulC8242eJDNZgeq27K lI6Q==
X-Gm-Message-State: APjAAAWAVikQu+of592nf7HLdffIbi+lcpfennXzDyF9OIzztDjwRxaY nLeaa53OnthOMD2+ZiRGjJNiqYpkh4mJYrwHSgY=
X-Google-Smtp-Source: APXvYqw97F03NtJkxGhrqr4EZ0n/jAgbF7cMcowqQCT4DoM+A0ArYNjEG6WG64FyplH+aYoobGIpBjz1Ma6oNpwohk0=
X-Received: by 2002:a05:6512:1da:: with SMTP id f26mr37979965lfp.129.1563979062692; Wed, 24 Jul 2019 07:37:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com>
In-Reply-To: <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Jul 2019 07:37:05 -0700
Message-ID: <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000077dee6058e6e4055"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2X8VCkdVwzsjjidTmiQsVdktZ0Y>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:37:47 -0000

On Wed, Jul 24, 2019 at 6:53 AM Ted Lemon <mellon@fugue.com> wrote:

> On Jul 24, 2019, at 9:14 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > Well, this is true, but in the Web context, as we move towards 100%
> HTTPS, the importance of getting the right IP starts to decrease quite a
> bit: if you get the wrong IP address, then this turns into a connection
> failure.
>
> Sort of like a fake NXDOMAIN, then?


Yes. But that need not be cryptographically verifiable because the client
really has no option but to abandon the connection at this point, even if
it is suspicious of the DNSSEC status.

-Ekr

v2.23.0 | Report a Bug | By Email