Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <mellon@fugue.com> Tue, 21 August 2018 02:25 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C542C130E81 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWx0hi6J38CB for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 19:25:18 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBC7130E02 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:25:14 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id h20-v6so2187828itf.2 for <dnsop@ietf.org>; Mon, 20 Aug 2018 19:25:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RjOe8/k7XLGbNzBYJXwSt8coh+mEdh1xiZ/lBoSy3f4=; b=x2vmH3kSONUeEM4jeRy36AxyPQWy2ykOCa1cOagpMxiSH2IZj9j4bbjm2+j5KHGNVd E3xC+olCqB7XedwQYVwImsuch1x5eaojdNH1p/YS/sPyE8P/+RdfM2QLcUPh4vQuJ1VM 6h1DqwR8rGqR3zPFgpCCVHL4WUZScIr2kR4JWa61V5U+XRRgNqHbOgwJkiOi5ZoE4yz0 FIETqrs32c9y9d3Gr/yHIJD0/WTaVsFVb1+JdD2jW6vLPxE8XYlffg67I7sRkz6lojZz FDh/9nR68HNMdYurjnGV4ZjeODniBpGvZxM00IPOpXtU9EW5nWiz0DmEra2+jlL3HkJ4 WkKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RjOe8/k7XLGbNzBYJXwSt8coh+mEdh1xiZ/lBoSy3f4=; b=eAizeVglDdm/gtNhQgtQC2NVpbOYobK8CIxEQ4hSf0GzE+eK7lrxOboEt0tC4KB2OR QsbidBXsLv7DGmAOWQfUY7JE4yLvmMCkd9K8dYNjUzI7vfT7VBMGifrzVMp4Ys5lxtdG TE0YcoZY9YAAsN4jdx2Ya2DRQ9DijdYHOuqIFTW8VGxpXt5aUiZA7UD2W8BTowHSE7OD vVhVR/DrleUJ0g/b/+gt8jsjZQnQ3YD4qynPG3uDUZncdLO8VUXTzOIwcPhIy9Tn6Jln pAGDliZ5M+r0kufJvmWIqmCwftlQo/vbzvp6O2LifrgW1KMxmPKSV5BiMA8m19c5geEW JWUw==
X-Gm-Message-State: AOUpUlGvRJDXEcWbjz/DjgMkKk8EVLghVHXDiPr1ykuI7FTVpfYH9zhE Zci8EExuFqXb0YRrIxEHkotN8YcMWnbMPsURKVZvzstW
X-Google-Smtp-Source: AA+uWPxAHSE37iKbIi64jsJa9TFxSvQHkSo/fWhKHaSzkobFsgh8qQwAtNXubHLpRrCr9q9ONa6pVpbAt0SgBdVfsQk=
X-Received: by 2002:a02:88ad:: with SMTP id n42-v6mr2675294jaj.38.1534818313345; Mon, 20 Aug 2018 19:25:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 19:24:32 -0700 (PDT)
In-Reply-To: <5B7B532B.6050708@redbarn.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <47508D79-0D49-4F31-9BA6-6DC80C38F1DE@cable.comcast.com> <ad1f6dff-ebcc-97a9-6f4b-1ed683827cc7@dougbarton.us> <1313743534.13562.1534765718802@appsuite.open-xchange.com> <9AFE57A7-1D27-4F86-9013-E3C63E63C582@hopcount.ca> <5B7AE322.3020201@redbarn.org> <CAPt1N1m-Xd-7rvgmk8GOsx34=1hsu76nmTgW-8krC3JF7i57KQ@mail.gmail.com> <265867956.15518.1534783313366@appsuite.open-xchange.com> <5B7AF30F.7040409@redbarn.org> <CAPt1N1=ad9MyZmHncTfdDV9pPim9cDC=boAFD9UxmXkpX+vg1Q@mail.gmail.com> <5B7B001A.5000907@redbarn.org> <CAPt1N1mfBz3E96ZuLAbBFYzhrwmg8ukrgsabC-duCOj1-rKK4A@mail.gmail.com> <5B7B0465.8060906@redbarn.org> <CAPt1N1m1c6k_Bn8GR4hMRD+A5iBq7bQsZ0CQqcoKJU1Y4nYvvQ@mail.gmail.com> <5B7B532B.6050708@redbarn.org>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Aug 2018 22:24:32 -0400
Message-ID: <CAPt1N1=QCFZHcuTm=aMMW0gCtKj2V6fHJ9ymveDSJfpLscJAxg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005cb1460573e8bcaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R3eY2d1VtTkNu43wgL-xNWnxgIg>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 02:25:37 -0000

You're talking about devices over which you have no control.   So how does
it make a difference where the attack vector is on the device?   Why is
DNS-over-HTTPS worse than entire-attack-vector-over-HTTPS?

On Mon, Aug 20, 2018 at 7:47 PM Paul Vixie <paul@redbarn.org> wrote:

>
>
> Ted Lemon wrote:
> > I think that you are whistling past the graveyard.   If your firewall
> > allows HTTPS without a proxy, then everything that DoH allows is already
> > possible, and is probably already being done, because it's so obvious.
>
> nope. the control plane stops at my doorstep, and there is no ubiquitous
> bypass occurring. i urge you to consider my level of commitment to this
> state of affairs, and whether i'm alone, and what could happen if it's
> threatened by the DOH WG's work.
>
> >    If you disagree with me about this (and I can think of a few reasons
> > why you might) then you should articulate what is possible with DoH that
> > isn't already possible with HTTPS.
>
> done.
>
> --
> P Vixie
>
>