Re: [Add] fixing coffee shop brokenness with DoH

Ted Lemon <mellon@fugue.com> Wed, 24 July 2019 10:54 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0960E1200B7 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 03:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzM2isfQJBIk for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 03:54:14 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE527120025 for <add@ietf.org>; Wed, 24 Jul 2019 03:54:14 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id y26so44974050qto.4 for <add@ietf.org>; Wed, 24 Jul 2019 03:54:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=z/U2h39VVpRWTzP0nVUgDubl8MMiOTMM96MJll/+oEE=; b=HmYD8xUEPyI8Eo8/liHASoki3TEb2BuhCw+hUqJ37U6J90DCivemDLARGqIjla0rdW Xckklt+3Pmlt1PppOo0zZ2unsYu6cunIb808ntAWPxwH8Jjw+Y2UKYViBsyHXQNIgJeo R5YXumE6flpWhyXzCLyitCndqmQyr0lGQGITO+XfWbyn9YxZtwlDECI5xbtOev43lDTz gTIerCVJ3zvov/ArhZ2/O7sXuD0jDLmxIzzUcaozlflBk4WRZ36S53ffWdDp5EuAHAHc QOks78ih4bxt+GWINnAtEOe/CmztYCLMkgW56BveoBZVkrk1L+ZEGXr0Q8PCBLkz3yV5 sGWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=z/U2h39VVpRWTzP0nVUgDubl8MMiOTMM96MJll/+oEE=; b=TyKlWZMEMy5tUu+0PYz45biG6cR44q2QsFIE/iGDtgoVXuPCj+HE+ADuqHmRCcdyAX rPHaSbaKrF8UoyrT1QSVSnIReuza+aa7liE6zrXIt4beJKB7inEaUBwZYXS5yTx2s9+J gk8lTsRnsD+1MDGrb37vOdudDUToh3pSOm2fD4hoAylYQ/NgxavIOcxGAtXcLQzis34R 1TEZ9o8TiRGKo0BMkKxrj1WOzs6mIPngB9cGOQycWxKU+3910oXjvb3JeGLWksihQY4v 0930fquXR3NJaiHuJpHxm4gwQHsUxwUqOqzmCVU1ZDkgwoiTTcaP7a9vDS+BoLN/GT3t eCaQ==
X-Gm-Message-State: APjAAAW39s8PWEHlAvbUmWzdr2uR61S29SUoWRKaFeuKNTV1CqYNUXeE f3ogxY0mFCaBlcDO6Lx6hWYuutULtUducw==
X-Google-Smtp-Source: APXvYqwm/EG4/vtNaj+OmAGZmIHF6zin1RJrgq5M3Iqv14SPF52CDLZIuI8hDvnQs1cg1Vmy3xOikA==
X-Received: by 2002:a0c:e5c6:: with SMTP id u6mr40330910qvm.102.1563965653455; Wed, 24 Jul 2019 03:54:13 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:10f0:5c18:b29:4401? ([2001:67c:1232:144:10f0:5c18:b29:4401]) by smtp.gmail.com with ESMTPSA id c5sm28571154qta.5.2019.07.24.03.54.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2019 03:54:12 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Ted Lemon <mellon@fugue.com>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com>
Date: Wed, 24 Jul 2019 06:54:11 -0400
Cc: Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/nrUzstw9STvqVrqa5oMNNJE0tDo>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 10:54:16 -0000

On Jul 24, 2019, at 6:40 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> In many cases, whether you are being told the truth by your recursive resolver is a less interesting property than whether you can get the correct answer. For instance, if the recursive resolver replaces the A record you want with NXDOMAIN even if you know that it's done so, you're still blocked from going where you wanted to go.

However, even if you are not blocked, without DNSSEC you do not know that the resolver gave you the right answer.  So ideally you want both: not to be blocked, and also to be able to validate the result you got. 

I know you already know this but I want to make it explicit because I’ve seen at least one person on this thread say that with DoH, DNSSEC isn’t needed.