Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon <mellon@fugue.com> Tue, 12 February 2019 22:08 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11EE130DC2 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 14:08:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hM6mPWBIqK9T for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 14:08:48 -0800 (PST)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D1B0124C04 for <dnsop@ietf.org>; Tue, 12 Feb 2019 14:08:48 -0800 (PST)
Received: by mail-pf1-x431.google.com with SMTP id z15so128153pfa.2 for <dnsop@ietf.org>; Tue, 12 Feb 2019 14:08:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=NJTtatYwC+Cn7CF/+ME+59/wgridgRwX7EgOXOUrdto=; b=acvDBDUyDzEvlvKnffHv5GD1RridqXUKZFFRwGoriH+5hPnWgj3JbtZle61pxtd0N/ Ia3Pr1w1z4BBHgN+hGQPci/UsXYSAY2RS2Mrar7pcsxbEPmXKe0yqltCHvV7onYaddmI EKsxwpweJVM5d32KWkxD/W/xFkZFYQLgD4vBMiBbe4v1xivA/RB8danHMq5r6NrJ1rU0 xq/LnOiX24DCUHHk+k9ri4o/hfqq7hIhzDn8tjoOJ270gq7nmYUEbKnZrspFMhSpVpIj DS7/jkeTv2bFBlzAw94E8865+ai7ObMHXFEV9Q0mJGQhp6Lg02ZkYbbmWEx2wW81cL2A dsgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=NJTtatYwC+Cn7CF/+ME+59/wgridgRwX7EgOXOUrdto=; b=JTK1PmHDsb545t04Z7TKjYVeMkmAeCh3mT1pfQcCZGb8+gyr48b5ya3JrnWkCKUqIO 4R2oK3c86R+W7yVpvUBvHncuhx7iEn2CqYasW/OjMIm2Xt2Gy8sHHL0sO9nj56/u6LSE V1IymmqeofDzWR/6CW1tth/V+MRYoj9xf2E7x2GAASadKLWEJ9gkpsx7NiP7+T+gdZqL VA0OstnRkDG7EyRQkVJAuJvpYjx7tuTmE0k9ogVGKN4GeZT9C8EeuIDRYvIsOw9fWEoh rypgILmMGGSWuWCLje03LusUDN/YgwM9e8Mhv18Tc1W6hbcx7E6m34OFEqVN3lsYOGng m5rw==
X-Gm-Message-State: AHQUAubpPd4MsALFawNAddJqkPhXh2LyK4oUpKMtWeHSWYoGh7o3GDma YzyaGbeAZowK9hhD7TPFu+qVK9o4Nio3HQ==
X-Google-Smtp-Source: AHgI3IbV4GIUsEUPXxQdZkgMfGQvVyCM4JUx2T3gRH3xokm8hRXiM4FDlVp0tkf296PCAjRbsa1ZQA==
X-Received: by 2002:a62:5a81:: with SMTP id o123mr6002624pfb.109.1550009327391; Tue, 12 Feb 2019 14:08:47 -0800 (PST)
Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id x123sm9329778pfx.94.2019.02.12.14.08.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 14:08:46 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0B541A54-F764-447E-BA5A-7DD2F87BD6F0"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 12 Feb 2019 14:08:45 -0800
In-Reply-To: <cb9646e3-676d-c24f-240d-e0c8ed159e88@redbarn.org>
Cc: David Conrad <drc@virtualized.org>, dnsop <dnsop@ietf.org>
To: Paul Vixie <paul@redbarn.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <d1f66089-1e78-15f6-269c-33ced12c2738@redbarn.org> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <cb9646e3-676d-c24f-240d-e0c8ed159e88@redbarn.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JdQXSDnqeRyE1IsgrsBLGXhWJ_4>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 22:08:50 -0000

On Feb 12, 2019, at 1:48 PM, Paul Vixie <paul@redbarn.org> wrote:
> DoH _specifically_ evades this, by looking as much as possible like other traffic to IP addresses shared by a lot of existing traffic. 

Right.   So what’s to stop other malicious traffic from doing the same thing?

IOW, you seem to want DoH to go away, but will that actually solve your problem?   If so, how?