Re: [DNSOP] [External] Re: Fwd: [Add] new draft: draft-grover-add-policy-detection-00
"Andrew M. Hettinger" <AHettinger@Prominic.NET> Mon, 15 July 2019 16:54 UTC
Return-Path: <AHettinger@Prominic.NET>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 427AB12011E; Mon, 15 Jul 2019 09:54:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwwrCpFvIG3F; Mon, 15 Jul 2019 09:54:17 -0700 (PDT)
Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [148.163.129.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E67D120026; Mon, 15 Jul 2019 09:54:17 -0700 (PDT)
X-Virus-Scanned: Proofpoint Essentials engine
Received: from domino-42.prominic.net (domino-42.prominic.net [199.103.3.42]) by mx1-us5.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id 360ECA40072; Mon, 15 Jul 2019 16:54:16 +0000 (UTC)
In-Reply-To: <CAChr6SyM3LSgAdu5+SJGq-n=+AZc7M44BVSru_EZgf9svBHo3w@mail.gmail.com>
References: <CAChr6SyVmgMpD6Cd=m2Z03nts-Bv9ZVgJkG8oaj_jzwYMUZuCg@mail.gmail.com> <4966582.gC1Lsr5W4Z@linux-9daj> <CAChr6SyapDz8ZKNU8nOuncPMWajBuE+eF3WMFP9GWAs+B-uP9g@mail.gmail.com> <3220557.rvQTihJl8x@linux-9daj> <CAChr6SyM3LSgAdu5+SJGq-n=+AZc7M44BVSru_EZgf9svBHo3w@mail.gmail.com>
X-KeepSent: 8D4BE6E1:0CDB3E8E-86258438:005BC3BC; type=4; name=$KeepSent
To: Rob Sayre <sayrer@gmail.com>
Cc: dnsop@ietf.org, DNSOP <dnsop-bounces@ietf.org>, Paul Vixie <paul@redbarn.org>
X-Mailer: IBM Notes Release 9.0.1 October 14, 2013
Message-ID: <OF8D4BE6E1.0CDB3E8E-ON86258438.005BC3BC-86258438.005CDBC6@prominic.net>
From: "Andrew M. Hettinger" <AHettinger@Prominic.NET>
Date: Mon, 15 Jul 2019 11:54:14 -0500
X-MIMETrack: Serialize by Router on domino-42.prominic.net/PNI(Release 10.0.1|November 29, 2018) at 07/15/2019 11:54:15 AM
MIME-Version: 1.0
Content-type: multipart/alternative; Boundary="0__=09BB0EABDFC8452C8f9e8a93df938690918c09BB0EABDFC8452C"
Content-Disposition: inline
X-MDID: 1563209656-Rijpa5HHAzlD
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/92MupdndGX5QA6tibobs0KUT9vQ>
Subject: Re: [DNSOP] [External] Re: Fwd: [Add] new draft: draft-grover-add-policy-detection-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 16:54:20 -0000
"DNSOP" <dnsop-bounces@ietf.org> wrote on 07/14/2019 21:17:04: > From: "Rob Sayre" <sayrer@gmail.com> > To: "Paul Vixie" <paul@redbarn.org> > Cc: dnsop@ietf.org > Date: 07/14/2019 21:17 > Subject: [External] Re: [DNSOP] Fwd: [Add] new draft: draft-grover- > add-policy-detection-00 > Sent by: "DNSOP" <dnsop-bounces@ietf.org> > > On Sun, Jul 14, 2019 at 6:59 PM Paul Vixie <paul@redbarn.org> wrote: > the the web community caught wind of it and threw a molatov cocktailinto our > movie theater -- DoH. > > changing DNS isn't quick or easy or cheap -- it's the trifecta of > "fast, good, > or cheap, choose two" and you have to say "i choose none of the above." > > I'm surprised that you seem to view DoH as a problem. I mean, everyone knows > that TLS and IPSEC are compromised by determined attackers, but I didn't know > it was a continued sore spot. If you have more to say, I would like > to hear it. > > thanks, > Rob I don't know how you could possibly be genuinely surprised by this. I've been lurking on here for a year, and Paul's been railing on this the entire time. As far as I can tell, his position has been the DoT strikes the right balance between network management and security, while DoH abandons the network management ability for no real gain in security. Arguably there's actually a decrease in security over DoT as, rather then your network provider being the one who knows what DNS lookups you're doing, now some third party with whom you have no relationship. Let's be clear, "some third party" is pronounced "Cloudflare." This isn't to bash on Cloudflare, but everyone's DNS traffic going to ONE company? That's the NSA's wet dream. Furthermore, it doesn't even achieve the goal; as Paul points out, he's just going to require all TLS traffic go through his proxy so he can do all the same DNS inspection/denial that he did before. Again, decreased security. Andrew Hettinger http://Prominic.NET Tel: 866.339.3169 (toll free) -or- 1.217.356.2888 x. 110 (int'l) Fax: 866.372.3356 (toll free) -or- 1.217.356.3356 (int'l)
- [DNSOP] Fwd: [Add] new draft: draft-grover-add-po… Andy Grover
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] [Add] new draft: draft-grover-add-pol… David Conrad
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Paul Vixie
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andrew M. Hettinger
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Peter Saint-Andre
- Re: [DNSOP] [External] Re: Re: Fwd: [Add] new dra… Andrew M. Hettinger
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Andy Grover
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] [External] Re: Fwd: [Add] new draft: … Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Alejandro Acosta
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Eric Rescorla
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Rob Sayre
- Re: [DNSOP] Fwd: [Add] new draft: draft-grover-ad… Tommy Jensen
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Paul Hoffman
- Re: [DNSOP] [Add] [Ext] new draft: draft-grover-a… Rob Sayre