Re: [DNSOP] extension of DoH to authoritative servers

"" <> Thu, 14 February 2019 06:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 407B2128B14 for <>; Wed, 13 Feb 2019 22:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vFhaq-yCMOzw for <>; Wed, 13 Feb 2019 22:36:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E4135128766 for <>; Wed, 13 Feb 2019 22:36:21 -0800 (PST)
Received: from Foxmail (unknown []) by (Coremail) with SMTP id AQAAf0BJdq1gDGVcyP8fAA--.22730S2; Thu, 14 Feb 2019 14:36:16 +0800 (CST)
Date: Thu, 14 Feb 2019 14:36:14 +0800
From: "" <>
To: Stephane Bortzmeyer <>
Cc: dnsop <>, Paul Wouters <>
References: <>, <>, <>, <>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 7, 166[cn]
Mime-Version: 1.0
Message-ID: <>
Content-Type: multipart/alternative; boundary="----=_001_NextPart721375776863_=----"
X-CM-TRANSID: AQAAf0BJdq1gDGVcyP8fAA--.22730S2
X-Coremail-Antispam: 1UD129KBjvdXoWrtw45GF4xZr15JFyrtr4xZwb_yoWfGFg_Wr 1DXw1Fkr15AF12gw45Jrs5Xr9xXrW8WF1kta4qqFn8u34UArykJrn5trySkr1xKFykKFZx Wr10qr4rX3WUujkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbvAYjsxI4VWDJwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG62kEwI0E Y4vaYxAvb48xMc02F40E42I26xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87 Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAY jxAxZF0Ew4CEw7xC0wACY4xI67k04243AVC20s07Mx8GjcxK6IxK0xIIj40E5I8CrwCY02 Avz4vE14v_GF1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAq x4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1Y6r 17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF 7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67 AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFcxC0VAYjxAxZFUvcSsG vfC2KfnxnUUI43ZEXa7IU0UGYJUUUUU==
X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/
Archived-At: <>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Feb 2019 06:36:27 -0000

i think both DNSSEC and DoH(or DoT) can protect DNS data, the fundmental point it to establish the trust chain and transit trust. Regarding the case"secondary name servers mnaged by a different organisation", the servers can publish several TLSAs to distingush them.

This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. The deployment of DNSSEC also takes a long time and is still in progress.
From: Stephane Bortzmeyer
Date: 2019-02-13 21:44
CC: dnsop; Paul Wouters
Subject: Re: [DNSOP] extension of DoH to authoritative servers
On Wed, Feb 13, 2019 at 02:03:26PM +0800, <> wrote 
a message of 103 lines which said:
> that's ture. but in my view, if the trust chain is built, we can
> ensure a resolver(or a cache) is always talking to a identified
> server and the channel is always secure, then the content could not
> be tampered.
Several emails already mentioned cases where it is not true (relaying
through a forwarder - transitive trust is hard - or secondary name
servers mnaged by a different organisation - a common use case).
DNSOP mailing list