Re: [DNSOP] extension of DoH to authoritative servers
"zuopeng@cnnic.cn" <zuopeng@cnnic.cn> Thu, 14 February 2019 06:36 UTC
Return-Path: <zuopeng@cnnic.cn>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 407B2128B14 for <dnsop@ietfa.amsl.com>; Wed, 13 Feb 2019 22:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFhaq-yCMOzw for <dnsop@ietfa.amsl.com>; Wed, 13 Feb 2019 22:36:25 -0800 (PST)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id E4135128766 for <dnsop@ietf.org>; Wed, 13 Feb 2019 22:36:21 -0800 (PST)
Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0BJdq1gDGVcyP8fAA--.22730S2; Thu, 14 Feb 2019 14:36:16 +0800 (CST)
Date: Thu, 14 Feb 2019 14:36:14 +0800
From: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
References: <2019021215560470371417@cnnic.cn>, <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca>, <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 7, 166[cn]
Mime-Version: 1.0
Message-ID: <201902141436144299614@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart721375776863_=----"
X-CM-TRANSID: AQAAf0BJdq1gDGVcyP8fAA--.22730S2
X-Coremail-Antispam: 1UD129KBjvdXoWrtw45GF4xZr15JFyrtr4xZwb_yoWfGFg_Wr 1DXw1Fkr15AF12gw45Jrs5Xr9xXrW8WF1kta4qqFn8u34UArykJrn5trySkr1xKFykKFZx Wr10qr4rX3WUujkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbvAYjsxI4VWDJwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG62kEwI0E Y4vaYxAvb48xMc02F40E42I26xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87 Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAY jxAxZF0Ew4CEw7xC0wACY4xI67k04243AVC20s07Mx8GjcxK6IxK0xIIj40E5I8CrwCY02 Avz4vE14v_GF1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAq x4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1Y6r 17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF 7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67 AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFcxC0VAYjxAxZFUvcSsG vfC2KfnxnUUI43ZEXa7IU0UGYJUUUUU==
X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/20NkP0rrrXczN-looTkwEQhUCTY>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 06:36:27 -0000
i think both DNSSEC and DoH(or DoT) can protect DNS data, the fundmental point it to establish the trust chain and transit trust. Regarding the case"secondary name servers mnaged by a different organisation", the servers can publish several TLSAs to distingush them. This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. The deployment of DNSSEC also takes a long time and is still in progress. zuopeng@cnnic.cn From: Stephane Bortzmeyer Date: 2019-02-13 21:44 To: zuopeng@cnnic.cn CC: dnsop; Paul Wouters Subject: Re: [DNSOP] extension of DoH to authoritative servers On Wed, Feb 13, 2019 at 02:03:26PM +0800, zuopeng@cnnic.cn <zuopeng@cnnic.cn> wrote a message of 103 lines which said: > that's ture. but in my view, if the trust chain is built, we can > ensure a resolver(or a cache) is always talking to a identified > server and the channel is always secure, then the content could not > be tampered. Several emails already mentioned cases where it is not true (relaying through a forwarder - transitive trust is hard - or secondary name servers mnaged by a different organisation - a common use case). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] extension of DoH to authoritative servers zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jeremy Rand
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Joe Abley
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Patrik Fältström
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Benno Overeinder
- Re: [DNSOP] extension of DoH to authoritative ser… Vittorio Bertola
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- [DNSOP] DoH vs DoT vs network operators, and requ… Brian Dickson
- Re: [DNSOP] DoH vs DoT vs network operators, and … Warren Kumari
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- [DNSOP] Multiplexing DNS & HTTP over TLS (was: ex… Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Bjørn Mork
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was… Joe Abley
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Klaus Malorny
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Tony Finch
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS John Levine
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Warren Kumari