Re: [DNSOP] extension of DoH to authoritative servers

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 14 February 2019 08:33 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D50BC131091 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcQqqEWCJNfV for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:33:13 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8FA131056 for <dnsop@ietf.org>; Thu, 14 Feb 2019 00:33:13 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 9E5192803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: by mx4.nic.fr (Postfix, from userid 500) id 97AB42804E8; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 8FB222803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 89C2B642A7A1; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 7BCB84010D; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Date: Thu, 14 Feb 2019 09:33:11 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Message-ID: <20190214083311.2d6ncijynujoq6vc@nic.fr>
References: <2019021215560470371417@cnnic.cn> <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201902141436144299614@cnnic.cn>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.14.82117
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HLsiINS7ben0_XRvle1BHne8I54>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 08:33:15 -0000

On Thu, Feb 14, 2019 at 02:36:14PM +0800,
 zuopeng@cnnic.cn <zuopeng@cnnic.cn>; wrote 
 a message of 86 lines which said:

> i think both DNSSEC and DoH(or DoT) can protect DNS data,

"Protect" is like "security", a word so vague,  which includes so many
different (and sometimes contradictory) services that it is not very
useful. Writing "both DNSSEC and DoH(or DoT) can protect DNS data"
seems to imply that you did not think enough about the difference
between channel security and object security. This is really the
weakest point in your argumentation. (Yes, djb always make the same
mistake but he is a famous cryptographer so people forget and forgive
about his mistakes.)

> the fundmental point it to establish the trust chain and transit
> trust.

No. The entire point of DNSSEC is that you do not need to trust the
many servers that are between the validator and the origin.

> Regarding the case"secondary name servers mnaged by a different
> organisation", the servers can publish several TLSAs to distingush
> them.

I'm afraid you did not understand. Let me explain with concrete
examples. Suppose organisation Alice subcontracts a secondary name
server to organisation Bob (a very common use case).

1) What is Bob is evil and modify DNS records?
2) What is Bob is sloppy in security and its servers are cracked and
the attacker modify DNS records?

DNSSEC protects against both. DoT and DoH does not protect against
these issues.

> This idea is just a sketch model

The problem is that there are many sketch models floating around and
few serious proposals (and even less implemented and analyzed
proposals).