IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Rob Sayre <sayrer@gmail.com> Wed, 24 July 2019 02:08 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A331209C7 for <add@ietfa.amsl.com>; Tue, 23 Jul 2019 19:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJb8EVTL9_YN for <add@ietfa.amsl.com>; Tue, 23 Jul 2019 19:08:06 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8DC912008C for <add@ietf.org>; Tue, 23 Jul 2019 19:08:05 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id h6so86149734iom.7 for <add@ietf.org>; Tue, 23 Jul 2019 19:08:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J9R1Hkx63zAaMP6i5TAGclXbEmoRGeJgJ0l/RFbvhrU=; b=V/a5bsmJVRzPkbp9qk+uNEv80eW9Nf0YhSq+AeIolTsyMCibo5BXGXcu0/mx11vnwV P4tFpLMcgL7Sna8R6oYzvBNXP+RmmGugiHHqUurTwB1KTq2NW6CI2B6KQLxy5o9X5LB/ absnW60m71VuGFoOAI/k7dD2MkXKtwsOkYVMhFXJTtpRZTMxNFAF2UNDYd0q1RHNMHvP x3WcEIgMX6t6VniFQGSzBqI7UjElbxuTOlD6NxXKQkombrpF0ol7/6uFWpg46NskU8zb zuMRIOk9UCWHIR/0apo0Db/At0TwmbwI6j165kjyeqsE94iGpvi8pZy1TmSEggZzbUgU 4cKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J9R1Hkx63zAaMP6i5TAGclXbEmoRGeJgJ0l/RFbvhrU=; b=pR18FWreslwYhVITB5rguY+HSv6qKdaUe5BXDA/tQPjwM/sMDfwYKQEjIPhl1Q5QX/ Ziu2G7DO5PYYwBVj4jIYFdqJys8Phnvze7s4HH4qf93uMWcaheD34Eg+CKF43zJxz+QJ jSnKdBLgCeV2GToRTzYP2pIWh6mfs3bX6pMWcAPfnfrVZRH41+1QSfvv5eb1Wj3uCtdz 5q7nJ/Rsz+i/pcWKF7yiUzU/Ynq6LRMw3pnF/l6/vyWNKx0MIDiQbkdnBYluMO1Jy5iS LuhJ2LTNFWd22kDtaqd9HgcvNune2GMV/uongT7vhe/fRsCDdXeH1X/Evs5VDORfxvU9 2Hyg==
X-Gm-Message-State: APjAAAW8kXuYG6D5j8Hn68wxdjQhSYaGDRJMfYJ8FKdp/ns/T0Ph9lG/ /h4/8LlPzmqU56p8l8VwNKBrbma9HxmQeEZMdnHkAHdsXu4=
X-Google-Smtp-Source: APXvYqyzfEeASBANveQ/U4suS3iv8vo6DDU1OEKszEZ5P5nEN0x3g6Eq9utwaZ/Xrx1rX6BwG21wT34J+xRM8krGuJw=
X-Received: by 2002:a05:6638:303:: with SMTP id w3mr28332922jap.103.1563934084961; Tue, 23 Jul 2019 19:08:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com>
In-Reply-To: <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 23 Jul 2019 19:07:53 -0700
Message-ID: <CAChr6SzvUZS4Ru_SttiZgWtjwBuLrzc_fdewq9w-Ts+Rq_oNHw@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000961b61058e63c7b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/rYJBY7WvXR6lnZSwl9EnM-wV-NM>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 02:08:08 -0000

On Tue, Jul 23, 2019 at 6:50 PM Jim Reid <jim@rfc1035.com> wrote:

> It didn't/doesn't take or need DoH (or DoT) to fix that problem.
>

DNS has had 31 years to fix the problem. It's still just unencrypted coffee
shop traffic, right?


> Though of course I'm glad we've got DoT and DoH as new weapons in the
> on-going security arms race.
>

That's not clear to me.


> BTW, using DoH or DoT in the above scenario doesn't necessarily make
> things "secure". It just changes the security landscape by swapping one set
> of concerns for another. A cynic (or realist) would say they'd just
> replaced one DNS resolver they probably didn't/shouldn't trust to another
> that isn't necessarily more trustworthy.


It does avoid a variety of local attacks.


> Unless DNSSEC validation is used
>

Uh, no.

thanks,
Rob

v2.23.0 | Report a Bug | By Email