Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Adam Roach <adam@nostrum.com> Wed, 20 March 2019 18:15 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF1F13120F; Wed, 20 Mar 2019 11:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.68
X-Spam-Level:
X-Spam-Status: No, score=-1.68 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6tTdR2ziZiR; Wed, 20 Mar 2019 11:15:00 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E12E131205; Wed, 20 Mar 2019 11:14:58 -0700 (PDT)
Received: from MacBook-Pro.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x2KIEcGD072473 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 20 Mar 2019 13:14:39 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1553105681; bh=Jad7dgelowDq81FHGatz+x/ZmYroDN1oh7emSASXvWw=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=CadBUvYLRA4CionF7FkPZltgsrx8GhraHMiU8c8vEoW23dDV7xB4j+NSz9zlmE6eK EZoia86YleX9WkgUdQL+A1plyjNtd0TiDpJUg1YpRet0ICNzR9IW3YQE/QZkKezsn4 Eycj+SvKiPXvhiLkzKrNwPyHuy4QLK/woX6SwlNo=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be MacBook-Pro.roach.at
To: Jacques Latour <Jacques.Latour@cira.ca>, Jared Mauch <jared@puck.nether.net>, Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>, dnsop <dnsop@ietf.org>, paul vixie <paul@redbarn.org>, Michael Sinatra <michael@brokendns.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <3457266.o2ixm6i3xM@linux-9daj> <CA+9kkMDkKQtBDrXx9h8331_6zDtcChUTfqFe0W3JByxyB=4xLw@mail.gmail.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <a38cf205-b10e-e8e2-62cf-8e0377dfc1ef@brokendns.net> <4599B066-BA82-4EA8-92C1-F1BE1464A790@puck.nether.net> <b8c58757-3945-ea19-b018-8e59292abf30@cs.tcd.ie> <CAH1iCirBm0NKA2-zw--ZKd3gN1ZCmwZ7_ZOSyaTk+2SMmrtxKg@mail.gmail.com> <EA89EA1A-A1EA-4887-9294-4F68AB5C3211@puck.nether.net> <6c5968b28fc04566aa71df4c6666e8e2@cira.ca>
From: Adam Roach <adam@nostrum.com>
Message-ID: <81ec8759-fcaf-c559-de75-b08f25a75d81@nostrum.com>
Date: Wed, 20 Mar 2019 13:14:32 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <6c5968b28fc04566aa71df4c6666e8e2@cira.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IRJnyLiJ3lXxoNta5PrpLVTaoI8>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 18:15:02 -0000

On 3/20/19 12:59 PM, Jacques Latour wrote:
> I'm trying to balance in my mind the requirements to protect the DNS vs. what is happening on the wire, in the end, the browser will connect to an IP address which can be (in most case) mapped to a domain name


I don't think this second assertion is true in 2019. See if you can make 
even a first-order reasonable guess what I'm accessing at 172.217.1.129 
or 23.227.38.32 or 52.40.19.98 or 216.105.38.15 or 104.20.1.85.

(Hint: I took these all from sites I visit frequently, and none are 
particularly obscure sites)

/a