Re: [DNSOP] extension of DoH to authoritative servers

Paul Wouters <paul@nohats.ca> Tue, 12 February 2019 14:07 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28F1D128B33 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 06:07:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7FDXKEO0q1K for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 06:07:51 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98EFF12867A for <dnsop@ietf.org>; Tue, 12 Feb 2019 06:07:51 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 43zPch0g6Rz9Lp; Tue, 12 Feb 2019 15:07:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1549980468; bh=lzYnbtKIPg/lGUnIxeSJO295RppkH8SMN5nAAthyl+s=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=T5t34f6djMosA0jgbpmmAfYS1a2n+7iG+nKY64Gsw63pWNEGxBx4emXs6nZmqWIak v+IXcJelDtBAwL4rduy9mTvuw4iJ+HSBFmQBuwjN2H68ZPFVe7s1T1p853qEOaog1H GQgf/v1UxfWi9sg8zyA6Io49xGoEkWXJwyaQta6g=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id lydwkFMKcdUL; Tue, 12 Feb 2019 15:07:45 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 12 Feb 2019 15:07:44 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B7E23A7E0C; Tue, 12 Feb 2019 09:07:43 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca B7E23A7E0C
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id ABE6140D358A; Tue, 12 Feb 2019 09:07:43 -0500 (EST)
Date: Tue, 12 Feb 2019 09:07:43 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <2019021215560470371417@cnnic.cn>
Message-ID: <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca>
References: <2019021215560470371417@cnnic.cn>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XfNl4GsIeaK5Dhfpl-FEMCXCWRw>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 14:07:54 -0000

On Tue, 12 Feb 2019, zuopeng@cnnic.cn wrote:

>    In this way, the whole DNS is built on HTTPS which makes DNS more secure. DNSSEC is not necessary anymore and many other
>                                        problems like fragmentation also will not exist.

This idea is similar to DNScurve. The problem is that channel security
does not help when you have an infrastructure of DNS caches, as nothing
in the cache can be used to validate the content.

djb's solution to this problem was to obsolete the cache, and at the CCC
conference he then threw around numbers that "claimed" caching is not
working or needed, and was proven wrong by me showing some cache
percentages of real DNS servers.

DNSSEC provides origin protection, and digital signatures are needed,
which TLS does not offer.

Paul