Re: [DNSOP] extension of DoH to authoritative servers
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 14 February 2019 08:33 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D50BC131091 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcQqqEWCJNfV for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:33:13 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8FA131056 for <dnsop@ietf.org>; Thu, 14 Feb 2019 00:33:13 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 9E5192803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: by mx4.nic.fr (Postfix, from userid 500) id 97AB42804E8; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 8FB222803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 89C2B642A7A1; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 7BCB84010D; Thu, 14 Feb 2019 09:33:11 +0100 (CET)
Date: Thu, 14 Feb 2019 09:33:11 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Message-ID: <20190214083311.2d6ncijynujoq6vc@nic.fr>
References: <2019021215560470371417@cnnic.cn> <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201902141436144299614@cnnic.cn>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.14.82117
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HLsiINS7ben0_XRvle1BHne8I54>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 08:33:15 -0000
On Thu, Feb 14, 2019 at 02:36:14PM +0800, zuopeng@cnnic.cn <zuopeng@cnnic.cn> wrote a message of 86 lines which said: > i think both DNSSEC and DoH(or DoT) can protect DNS data, "Protect" is like "security", a word so vague, which includes so many different (and sometimes contradictory) services that it is not very useful. Writing "both DNSSEC and DoH(or DoT) can protect DNS data" seems to imply that you did not think enough about the difference between channel security and object security. This is really the weakest point in your argumentation. (Yes, djb always make the same mistake but he is a famous cryptographer so people forget and forgive about his mistakes.) > the fundmental point it to establish the trust chain and transit > trust. No. The entire point of DNSSEC is that you do not need to trust the many servers that are between the validator and the origin. > Regarding the case"secondary name servers mnaged by a different > organisation", the servers can publish several TLSAs to distingush > them. I'm afraid you did not understand. Let me explain with concrete examples. Suppose organisation Alice subcontracts a secondary name server to organisation Bob (a very common use case). 1) What is Bob is evil and modify DNS records? 2) What is Bob is sloppy in security and its servers are cracked and the attacker modify DNS records? DNSSEC protects against both. DoT and DoH does not protect against these issues. > This idea is just a sketch model The problem is that there are many sketch models floating around and few serious proposals (and even less implemented and analyzed proposals).
- [DNSOP] extension of DoH to authoritative servers zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jeremy Rand
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Joe Abley
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Patrik Fältström
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Benno Overeinder
- Re: [DNSOP] extension of DoH to authoritative ser… Vittorio Bertola
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- [DNSOP] DoH vs DoT vs network operators, and requ… Brian Dickson
- Re: [DNSOP] DoH vs DoT vs network operators, and … Warren Kumari
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- [DNSOP] Multiplexing DNS & HTTP over TLS (was: ex… Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Bjørn Mork
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was… Joe Abley
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Klaus Malorny
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Tony Finch
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS John Levine
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Warren Kumari