Re: [Add] fixing coffee shop brokenness with DoH
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 July 2019 14:33 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FED912031A for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wAE2aNHxj0P for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C43120318 for <add@ietf.org>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id j21so18552100uap.2 for <add@ietf.org>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6L+0Zm8e1dowKVynUGk7cQpfAOKTPEiVTOZSwyzT9GM=; b=pKiG8mNBUcAl5pvZcZkDZ2tBv4xcuK5XAiKSMKXZjUmTmRlJcMbZOIJDs/ByZYwpkP N3U6ht8VbRBwOyR0kjuzwOc0g1RYV+AG1ZuAqvXhj9IjRpM1V1PhavwodgNlAJqvHuit INmEJV29owwn57rIZ23Ggr+vzB8YQVEmLhHQ5wdxvaVLQJItaK5FSe6ez1aq+JB2wW9J Ny59P6qzP/F60yJm0nDKvTA5LSPGPmJZM3BNFJu2Kqd8NHMJl8M25l2Sc5KIqfWjOSnP wSGXmUqsKBxLRggoe8beeyEE+tzfWNs+KUeF2UxnRtTVdFGB2BpvxwzqNtT7kGTNo/U6 j6FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6L+0Zm8e1dowKVynUGk7cQpfAOKTPEiVTOZSwyzT9GM=; b=FeJQIOY0p4nOX68OTuLh1J0FOP5P5FaETSVK0gUp6GEC5LwTfnLQToe2cPwqK+GkXQ h705ma6/EvehQgg1NS+L2hfbYkcfGOCx380DnR7EqvzHZN+S5lc52DnaP7f4dUL8v9hc GxGndhREsDGInUTqw8XZ0pXxUIAQepiO4NpHzWaWfePn5F1MpYNpQz+LihxSNuHEhvjb Q0fsyMV9i+MFk9MQlwm76Qssm14JQJnvp+PKpawb7fgQ1xClHn5PXh7rj6hKi1x/2kFe cguREQg+wgsNK4WFSfmVBshmfr9Xg8jffcJBTXLYBJziCz8o7qm/kENYwnuXTYC9UbmP P/LA==
X-Gm-Message-State: APjAAAWVbtb/MlTjiJ6fkJQiYHJGs3pFgFg7kVQ8T1a8ZXNvVhEd4mOF Vrr+PJrhigauZ1/rshBWOpo67knaq+u7YKnOY49jkhumlLM=
X-Google-Smtp-Source: APXvYqzwZxBXpTY90PhUhDk2qT/lZ6qwrxZnKdbEbZC2zm1sHrxtKaajLcmdq2mJ9C50g9J5FFGjqPINcZNWNYB414g=
X-Received: by 2002:ab0:168a:: with SMTP id e10mr5959748uaf.87.1563978815586; Wed, 24 Jul 2019 07:33:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com>
In-Reply-To: <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Jul 2019 10:33:23 -0400
Message-ID: <CAH1iCipMB_1mMC1ecbtSWNt4gKJie43LAETHFD59xkNMrjPdvA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000bd4887058e6e311d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gHmR7lW0ggwfTWtcNlwrEn1T2sk>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:33:43 -0000
On Wed, Jul 24, 2019 at 9:15 AM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Wed, Jul 24, 2019 at 3:54 AM Ted Lemon <mellon@fugue.com> wrote: > >> On Jul 24, 2019, at 6:40 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> In many cases, whether you are being told the truth by your recursive >> resolver is a less interesting property than whether you can get the >> correct answer. For instance, if the recursive resolver replaces the A >> record you want with NXDOMAIN even if you know that it's done so, you're >> still blocked from going where you wanted to go. >> >> However, even if you are not blocked, without DNSSEC you do not know that >> the resolver gave you the right answer. So ideally you want both: not to >> be blocked, and also to be able to validate the result you got. >> > > Well, this is true, but in the Web context, as we move towards 100% HTTPS, > the importance of getting the right IP starts to decrease quite a bit: if > you get the wrong IP address, then this turns into a connection failure. > > -Ekr > This is an important assertion that requires refutation: this is incorrect. The importance of the correct IP is essential, because of the relatively weak system under which TLS certificates are (or can be) issued. While individual CAs may be extremely trustworthy, there has been instances of other CAs (retrospectively discovered as being untrustworthy) issuing TLS certificates to parties other than the domain owner. This is why DNSSEC, and DANE, are an important mechanism available for strengthening certificate/browser security. DANE allows domain owners to securely link a specific CA or specific certificate to a domain name. Only with DNSSEC and DANE, is it true that the IP address being wrong would a connection failure be guaranteed to occur. That is, in fact, one of the underpinnings for why bad actors have an interest in altering DNS caches to provide forged IP addresses. Thus, I assert that not only is DANE not strictly orthogonal, it is an essential part of securing the web, along with DNSSEC. This is true even in a 100% HTTPS environment. The security of DNS as provided by DNSSEC is both orthogonal to, and more important than, the privacy of DNS recursive queries, when it to achieving that 100% HTTPS environment. Brian
- [Add] meeting hum: should the IETF take up this w… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Sinatra
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… STARK, BARBARA H
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Reed, Jon
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Tommy Jensen
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Alec Muffett
- Re: [Add] fixing coffee shop brokenness with DoH sthaug
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Brett Carr
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Lars Eggert
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Bret Jordan
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Joseph Lorenzo Hall
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Diego R. Lopez
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Tony Finch
- [Add] Trust and control on the Internet (was Re: … Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] Trust and control on the Internet (was … Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] Trust and control on the Internet (was … Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Ted Lemon
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Stephane Bortzmeyer
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH chris.box
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Rob Sayre
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Joe Abley
- Re: [Add] fixing coffee shop brokenness with DoH Normen Kowalewski
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Jim Reid
- Re: [Add] fixing coffee shop brokenness with DoH Petr Špaček
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Neil Cook
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] fixing coffee shop brokenness with DoH Paul Ebersman
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] fixing coffee shop brokenness with DoH Paul Wouters
- Re: [Add] fixing coffee shop brokenness with DoH Michael Richardson
- Re: [Add] fixing coffee shop brokenness with DoH Brian Dickson
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Adam Roach
- Re: [Add] fixing coffee shop brokenness with DoH Andrew Campling
- Re: [Add] fixing coffee shop brokenness with DoH Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Andrew Campling
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Ben Schwartz
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Stephen Farrell
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Michael Richardson
- Re: [Add] meeting hum: should the IETF take up th… Vittorio Bertola
- Re: [Add] meeting hum: should the IETF take up th… Valentin Gosu
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Paul Ebersman
- Re: [Add] meeting hum: should the IETF take up th… Rob Sayre
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Eric Rescorla
- Re: [Add] meeting hum: should the IETF take up th… Eric Orth
- Re: [Add] meeting hum: should the IETF take up th… Diego R. Lopez
- Re: [Add] meeting hum: should the IETF take up th… Thomas Peterson
- Re: [Add] meeting hum: should the IETF take up th… Jim Reid
- Re: [Add] meeting hum: should the IETF take up th… Livingood, Jason
- Re: [Add] meeting hum: should the IETF take up th… Tommy Jensen
- Re: [Add] meeting hum: should the IETF take up th… Ólafur Guðmundsson
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Jacques Latour
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Ralf Weber
- [Add] point of deploying DoH in access network (R… 神明達哉
- Re: [Add] point of deploying DoH in access networ… Joe Abley
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Eric Orth
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Christian Huitema
- Re: [Add] [EXT] Re: meeting hum: should the IETF … Mikael Abrahamsson
- Re: [Add] point of deploying DoH in access networ… Tony Finch
- Re: [Add] point of deploying DoH in access networ… Robert Mortimer
- Re: [Add] point of deploying DoH in access networ… Alec Muffett
- Re: [Add] point of deploying DoH in access networ… Ted Lemon
- Re: [Add] point of deploying DoH in access networ… Simon Hicks
- Re: [Add] point of deploying DoH in access networ… Vladimír Čunát