Re: [DNSOP] extension of DoH to authoritative servers

"zuopeng@cnnic.cn" <zuopeng@cnnic.cn> Wed, 13 February 2019 06:08 UTC

Return-Path: <zuopeng@cnnic.cn>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9EDA131038 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 22:08:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlURf2DRkyTM for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 22:08:23 -0800 (PST)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id D7F9D131031 for <dnsop@ietf.org>; Tue, 12 Feb 2019 22:08:22 -0800 (PST)
Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0B5pq1VtGNcAqYfAA--.22690S2; Wed, 13 Feb 2019 14:08:21 +0800 (CST)
Date: Wed, 13 Feb 2019 14:08:19 +0800
From: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr>
Cc: dnsop <dnsop@ietf.org>
References: <2019021215560470371417@cnnic.cn>, <20190212083908.w5cwgtmypkjwmqnd@nic.fr>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 7, 166[cn]
Mime-Version: 1.0
Message-ID: <201902131408197979867@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart723670236142_=----"
X-CM-TRANSID: AQAAf0B5pq1VtGNcAqYfAA--.22690S2
X-Coremail-Antispam: 1UD129KBjvdXoWrKr17CF4UZr4xtryDKw4fGrg_yoW3ArgEy3 4kWry8A3s5AF129a15Jr1fXryaqFZ8Ga48tanIg3ZagFyjyan5tan5Gwsakr40qFykKrn3 Gr1UZFZaq3sI9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbf8YjsxI4VWkCwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwV C2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E42I2 6xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4I kC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAYjxAxZF0Ew4CEw7xC0wACY4xI 67k04243AVC20s07MxkIecxEwVAFwVW8AwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jrv_JF1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6Fyj6rWU JwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFc xC0VAYjxAxZFUvcSsGvfC2KfnxnUUI43ZEXa7IU8mhF3UUUUU==
X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WIy03br3XwTt8Pq6ncUqtkA9amc>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 06:08:25 -0000

i prefer DoH because it can identify a server we are talking to and the content is encrypted. 



zuopeng@cnnic.cn
 
From: Stephane Bortzmeyer
Date: 2019-02-12 16:39
To: zuopeng@cnnic.cn
CC: dnsop
Subject: Re: extension of DoH to authoritative servers
On Tue, Feb 12, 2019 at 03:56:04PM +0800,
zuopeng@cnnic.cn <zuopeng@cnnic.cn>; wrote 
a message of 546 lines which said:
 
> I am considering extending the DoH protocal to authoritative
> servers.
 
Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked
at the edge of the network 2) applications running in a Web browser
may need DNS data. But these two reasons do not apply to your use case
1) the resolver is often closer to the core and there is less risk
that 853 is blocked 2) there is no Web browser on the resolver.