Re: [DNSOP] extension of DoH to authoritative servers

Paul Vixie <paul@redbarn.org> Tue, 12 February 2019 22:18 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A63130DDA for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 14:18:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_AFFORDABLE=1, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvNfxyoDxSB0 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 14:18:39 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19F57130DD8 for <dnsop@ietf.org>; Tue, 12 Feb 2019 14:18:39 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id D7040892C6; Tue, 12 Feb 2019 22:18:38 +0000 (UTC)
To: Ted Lemon <mellon@fugue.com>
Cc: David Conrad <drc@virtualized.org>, dnsop <dnsop@ietf.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <d1f66089-1e78-15f6-269c-33ced12c2738@redbarn.org> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <cb9646e3-676d-c24f-240d-e0c8ed159e88@redbarn.org> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org>
Date: Tue, 12 Feb 2019 14:18:39 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xm8lZQV0DNPv4xMxi_8VoPDjT9c>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 22:18:40 -0000


Ted Lemon wrote on 2019-02-12 14:08:
> On Feb 12, 2019, at 1:48 PM, Paul Vixie <paul@redbarn.org 
> <mailto:paul@redbarn.org>> wrote:
>> DoH _specifically_ evades this, by looking as much as possible like 
>> other traffic to IP addresses shared by a lot of existing traffic.
> 
> Right.   So what’s to stop other malicious traffic from doing the same 
> thing?

lack of an IETF-approved standard with planned implementation by a half 
dozen tech giants, means that other malicious traffic will not be able 
to hide in the crowd, and can be made subject to policy, and complaints.

> IOW, you seem to want DoH to go away, but will that actually solve your 
> problem?   If so, how?

i want DoT to be used instead, and backed by google, mozilla, 
cloudflare, and the others. i want malicious traffic to stand apart from 
the crowd, where affordable anomaly detection can see it and cope with 
it. security economics is a "long game." DoH is a giant step function.

-- 
P Vixie