Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Ted Lemon <mellon@fugue.com> Tue, 19 March 2019 13:10 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70AE5131270 for <dnsop@ietfa.amsl.com>; Tue, 19 Mar 2019 06:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ytda15UHaEfr for <dnsop@ietfa.amsl.com>; Tue, 19 Mar 2019 06:10:37 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE0112787F for <dnsop@ietf.org>; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id w30so16642387qta.8 for <dnsop@ietf.org>; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/Qhd1Cihr66UTzcwXAwzHZLhchzWgnYIdERUCaw/mYM=; b=OJAIklVvMtBuSfI3XfW5LgNmaK20TcStIMkUAS2Q4fHVOlqBWFWnX6IyzyrrjLEVlQ BrLmTIfhqZjWqk3xJGmQ4rbXArRoOot4w8kk1uX2rOHq6fs2kjCaU8TbCZaHfqZu5hGd XJgHY6MIK0+h0XhtQ4TCt87UqWYvrqFrviaCSJ/TDA241RZw5ttTRXEXrGucXEbjsBsk hYbClDz5dN1zdp4qKEIKm2eHfqVHGu1dShrU8MJhF9xjDdHDkVkoeGuUBqPzs1Q73AS5 t4J6D9S141eQZ9NVUoh/5SK/TGTjyFR9fEHH0LCyFTwEmQjrwY3lFGV6cIJzF75bqEbL xMiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/Qhd1Cihr66UTzcwXAwzHZLhchzWgnYIdERUCaw/mYM=; b=LZLGAH8TZK57VH5IvV9t02iyXJMF721wPQmCOPfgb9JwEYscnXTo+rtSo/08o32x/7 i1DkafXDkpozMZ0d02POmXeqqXR09AnE2N93b44zpy/Zt/Q5M78HqbdPicUXwLUoRKrX n3+Kg14sVRZIEPL7jNL02yYveeDJ1MblZbPOJBAwE95DPGtRvq637bZqdTQlOTOGeFXd rDeKpiE1OxiEHRGGXK5KQpc9EqHNE6MC4MbLxf2wS7NhyhmK6201S3DhrakTQJWqx9/E a8mPBryUc5/c5YLDvwxzwNlmMk+xvAf18c5O5q9y8iGSW/4S2KSVInmAe4+M33AdPdS5 lgQw==
X-Gm-Message-State: APjAAAVuqcI5U3cynZU/SNguLR8I5vgJ5tXCyeiNk05ijxJUY3AuzuLL wRhE/X+wOSki4d6n47yggBmyww==
X-Google-Smtp-Source: APXvYqyxumtiZqi3X0D2/AvfQV4M12epFrcTSDSPiOiz1yRslMM2z4AMf9PyH3LNGDJCZ5Kj8fMv1g==
X-Received: by 2002:a0c:9e6b:: with SMTP id z43mr1795758qve.131.1553001036063; Tue, 19 Mar 2019 06:10:36 -0700 (PDT)
Received: from [10.0.100.12] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id a20sm3396322qth.88.2019.03.19.06.10.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2019 06:10:35 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <0E83C55B-2546-4C8B-80DB-8E8403C8CA47@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_48A189CD-161E-449B-9CC5-76EF0D1FBBC8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Date: Tue, 19 Mar 2019 09:10:31 -0400
In-Reply-To: <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com>
Cc: DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>
To: Eliot Lear <lear@cisco.com>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com> <A6C66F6C-2663-4AF0-B318-04CE66129D14@cisco.com>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BW_hDelS1JxJQaC1U1jVf9oGDaE>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 13:10:39 -0000

On Mar 19, 2019, at 3:50 AM, Eliot Lear <lear@cisco.com> wrote:
> It might also be possible to whitelist ANSWERs into iptables. I wrote the code for that for a dnscap plugin some years ago, and you could even play with it if you want (it’s on GitHub), but I’m not suggesting it’s a good general answer (it was intended for a very specific use case involving relatively few domains for (hopefully cooperating) IoT devices).  As you point out, it won’t tackle shared IP addresses, and quite frankly, little CPE gear won’t scale with a gazillion iptables entries (I’m not sure big gear would either).

Link?