Re: [Add] fixing coffee shop brokenness with DoH
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 July 2019 17:32 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2C312015B for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:32:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0hup0N0TCrI for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:32:37 -0700 (PDT)
Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FEFF120121 for <add@ietf.org>; Wed, 24 Jul 2019 10:32:37 -0700 (PDT)
Received: by mail-vs1-xe2f.google.com with SMTP id u3so31866443vsh.6 for <add@ietf.org>; Wed, 24 Jul 2019 10:32:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zfyEaWdh/B+Az2cvbQsQ9+iSTU7+HEGokz6EtlZnQDk=; b=eEY4lMsiWiSX97aPyo1/Fyguw3thg7ZvR5XB9pjlOVNMJyxU9NseI69El8ShXImBLs 3RiuBMcnD7hoLqg5cpdWh+QyB6/a7iwTBGJiYdwFkvNMsJrtiqPPteEQF/Sckco3xJKS YGvArOfGT9WDp53FqThdZHG5qwXK3s/NR+NSCOAlzWTJ8mBarZqwMM3e1Hyn3KR9Bf0j Qa0yc371CbBumPwOv8fpJQq0vEdQVPlQQ5lu29vYCpGKmDFwn5oAgNj25jxCsGOML4an Nhp6QCHr7ccdCDzc9ZgfQHFUsvcV08XM94QuZn1LMwxZk/tUxpNC6oVu/zq6gGM0yRlO wMVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zfyEaWdh/B+Az2cvbQsQ9+iSTU7+HEGokz6EtlZnQDk=; b=obLrb8g1L9ISbCVYqR0ZmV+C/3wP5ezGdhmbQK6nKsi3zVI+VSHZtXtkIkE+03I0EX Vs7hYzkkj0kHs52fCI9CucYMKR4YutrAZhvMD0xx4oCLacSqayHO7S5mdHp5t70SeXMa MpWH4e9K1IwGfyaCC9sV+sL35nvZ2tYDjBmddeLUMieo6+Nm76fwFqEN5nfj6MYXArDz YZlrma9mZVoiKdtvSjkkVhZuQQypBswsuVnPjC77BiQR5Bv4iF83i5QQyeLDvcTJc/AC 0LTeSMmzKDJgXi6G+z3f29OKueiMfdOgzSCFIsAw0iwemCmDiSI8h1Xd9Rh0H664l48J h+Yw==
X-Gm-Message-State: APjAAAVrjR8fe2kJvekMsz5pdX3xiBa4ncN4U7wJCLPzWL4ABGUR/RRS K+lQmjft8YsgAKIimNXQmoFgl1USAjnpDrMZT/Y=
X-Google-Smtp-Source: APXvYqzBKxVvsru1/bkEEaQNXH0Z/GYKMseVx+AXnF6sGdMa+BL9hXjiyrzXjKVpd6Ne5Qus2msaZda2WhoEb2M+aeA=
X-Received: by 2002:a67:edcf:: with SMTP id e15mr52530907vsp.75.1563989556444; Wed, 24 Jul 2019 10:32:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com> <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com> <7BE32238-2442-4954-B95E-1C089C8C86E7@fugue.com> <CABcZeBM8bY0bjZjgpozMULL++4v98SO-tyFnqYvG0714GqWgbw@mail.gmail.com>
In-Reply-To: <CABcZeBM8bY0bjZjgpozMULL++4v98SO-tyFnqYvG0714GqWgbw@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Jul 2019 13:32:24 -0400
Message-ID: <CAH1iCioacfKVV14QcQ9zsNed2cDXVhJDY2wknaOzRsarK0GJcA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f1c21f058e70b156"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/SovZsk_54HNEVd1354HQ5t-gUgo>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 17:32:39 -0000
On Wed, Jul 24, 2019 at 1:15 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Wed, Jul 24, 2019 at 8:58 AM Ted Lemon <mellon@fugue.com> wrote: > >> There are a variety of attack scenarios to account for. DNSSEC is not >> useful for countering a fake NXDOMAIN attack when the attacker also >> controls the path and can prevent connection establishment. >> >> However, if the attacker is the resolver, and the resolver isn’t under >> the control of the path, then detecting a fake NXDOMAIN is useful. >> > > How? > Assumptions: 1. One resolver is controlled by the attacker 2. The path to the real endpoint is free from control by that same attacker 3. Any other resolver, not controlled by that same attacker, is known If the attacker's resolver supplies a fake NXDOMAIN, which the client detects via DNSSEC, then the client sees the resolver's answer as a SERVFAIL. The client then consults a different resolver, and gets a non-NXDOMAIN answer (validated by DNSSEC), and connects to the correct host. Since the attacker does not control the data path to the correct host, the client's connection succeeds. QED (useful). Brian
- [Add] meeting hum: should the IETF take up this w… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Sinatra
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… STARK, BARBARA H
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Reed, Jon
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Alec Muffett
- Re: [Add] fixing coffee shop brokenness with DoH sthaug
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Brett Carr
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Lars Eggert
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Tony Finch
- [Add] Trust and control on the Internet (was Re: … Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] Trust and control on the Internet (was … Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Joe Abley
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Paul Wouters
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] fixing coffee shop brokenness with DoH Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Ben Schwartz
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Valentin Gosu
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Paul Ebersman
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Eric Orth
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Thomas Peterson
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Ólafur Guðmundsson
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Jacques Latour
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Ralf Weber
- [Add] point of deploying DoH in access network (R… 神明達哉
- Re: [Add] point of deploying DoH in access networ… Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Eric Orth
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Christian Huitema
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Mikael Abrahamsson
- Re: [Add] point of deploying DoH in access networ… Tony Finch
- Re: [Add] point of deploying DoH in access networ… Robert Mortimer
- Re: [Add] point of deploying DoH in access networ… Alec Muffett
- Re: [Add] point of deploying DoH in access networ… Ted Lemon
- Re: [Add] point of deploying DoH in access networ… Simon Hicks
- Re: [Add] point of deploying DoH in access networ… Vladimír Čunát