Re: [DNSOP] extension of DoH to authoritative servers

Paul Wouters <paul@nohats.ca> Tue, 12 February 2019 17:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E83128B33 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 09:23:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hggavK9YkB5f for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 09:23:00 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59772127287 for <dnsop@ietf.org>; Tue, 12 Feb 2019 09:23:00 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 43zTxs17t4zD5w for <dnsop@ietf.org>; Tue, 12 Feb 2019 18:22:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1549992177; bh=qHclYywaf5l3I6nC0FJgR48E/mAzwyR1eKsrzD1dFuA=; h=Date:From:To:Subject:In-Reply-To:References; b=sCJJ1RcF0hRAAwnFW6Ut7taEQ5lrA8/x+JHtEh9iw+ttRUFc4bYfxB9robRFJF0HE 3bbwFidX5GqvcK9o4AmBlagzCb5rX9k7um1vbia3gprnp8rj8fdNG+xc8M9EbDA+gL NQdt3KeE1qPx3utTrtR4o94kolUD6rQjfZjz7Vc8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id XnKiDJd89bLr for <dnsop@ietf.org>; Tue, 12 Feb 2019 18:22:55 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Tue, 12 Feb 2019 18:22:54 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id A05F5A7E0C; Tue, 12 Feb 2019 12:22:53 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca A05F5A7E0C
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 956B940D358A for <dnsop@ietf.org>; Tue, 12 Feb 2019 12:22:53 -0500 (EST)
Date: Tue, 12 Feb 2019 12:22:53 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org>
Message-ID: <alpine.LRH.2.21.1902121217020.8252@bofh.nohats.ca>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GC1GquZ1DohsEW3qGmwlpDmet24>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 17:23:02 -0000

On Tue, 12 Feb 2019, Paul Vixie wrote:

> this is especially vital for IoT, whose makers will 
> never be profitable other than from data they collect.

I hope those makes will be unprofitable and close shop.

IoT devices should be designed to be accessed through secure VPN or TLS
connections, without going through vulnerable large scale server farms
in unknown or unpleasant countries invading my human privacy rights.

For example, I'm using my hue lights with or without VPN, without telling
Philips when I turn the lights on or off and without telling philips
when I am near or not near by house.

That said, software circumventing the system's resolver is bad, and is
not the layer this should be happening on, and it should really be a
last ditch effort requiring user exception. But browsers think they are
the DNS police now :(

Paul