IETF Logo Mail Archive

[Add] data integrity and DNSSEC or DoH/DoT

Jim Reid <jim@rfc1035.com> Wed, 21 August 2019 21:43 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F4C120086 for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alnlbRspbCzU for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 14:43:42 -0700 (PDT)
Received: from shaun.rfc1035.com (shaun.rfc1035.com [93.186.33.42]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EB0412001E for <add@ietf.org>; Wed, 21 Aug 2019 14:43:42 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 635952421481; Wed, 21 Aug 2019 21:43:40 +0000 (UTC)
From: Jim Reid <jim@rfc1035.com>
Message-Id: <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_9C95AF30-DF62-43A3-8F5A-7C1AA52F4527"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 21 Aug 2019 22:43:39 +0100
In-Reply-To: <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie>
Cc: ADD Mailing list <add@ietf.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/vEpkYDDTiCVREzL4vS3xKwhrFdU>
Subject: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 21:43:46 -0000


> On 21 Aug 2019, at 22:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> IMO you're both right but not quite using super-precise terminology:-)
> 
> ...
> 
> So yep, both give data integrity, just differently.

If we’re being super-precise, that’s not quite right either Stephen. :-)

DNSSEC and DoH/DoT are not different paths to the same end goal of data integrity. They provide different flavours of data integrity.

DNSSEC validation means you get the truth, the whole truth and nothing but the truth regardless of your choice of resolver or the transport path between you and that resolver. DoH and DoT offer no protection at all from a lying resolver - you’re just guaranteed to receive precisely whatever lies or truth that resolver sends. So in effect you somehow decide to “trust” a TRR and hope for the best. In some cases, that may well be good enough. In others, perhaps not.

v2.23.0 | Report a Bug | By Email