Re: [DNSOP] extension of DoH to authoritative servers

Paul Wouters <paul@nohats.ca> Thu, 14 February 2019 07:34 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DAB113102B for <dnsop@ietfa.amsl.com>; Wed, 13 Feb 2019 23:34:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oWvf3nZ7QEG for <dnsop@ietfa.amsl.com>; Wed, 13 Feb 2019 23:34:16 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3779C131021 for <dnsop@ietf.org>; Wed, 13 Feb 2019 23:34:16 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 440Snf27nXz3Nm; Thu, 14 Feb 2019 08:34:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550129654; bh=ld1MngKQ8Kte802gyo6ZqY9ftsCx8rXj9tRnjddIADc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rN7qz6nC62Bhm3VJ1TmsGa+Ai+tcIC8vJP6ZAj8ZfRBzGIq5PV4X2BiqZGfNaQrva 4SsslvdOgbUQ3Fp7vdSMf6fB0GWxoYAJRXbsjVIlhDO/psk+Gl4t6s/rIZZ+RqMcZj ZS9TpgqIeu/kLJu44UPuBaMBxyCqC95/oXiJR5R4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1LCI21pV41G8; Thu, 14 Feb 2019 08:34:12 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 14 Feb 2019 08:34:11 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D688B2FCBF; Thu, 14 Feb 2019 02:34:10 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D688B2FCBF
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CEF6740D358A; Thu, 14 Feb 2019 02:34:10 -0500 (EST)
Date: Thu, 14 Feb 2019 02:34:10 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop <dnsop@ietf.org>
In-Reply-To: <201902141436144299614@cnnic.cn>
Message-ID: <alpine.LRH.2.21.1902140232160.19964@bofh.nohats.ca>
References: <2019021215560470371417@cnnic.cn>, <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca>, <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YMRzIZCF7_t4R0ZrtemSIUS19Ac>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 07:34:18 -0000

On Thu, 14 Feb 2019, zuopeng@cnnic.cn wrote:

> This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. T
> he deployment of DNSSEC also takes a long time and is still in progress. 

No. It simply will break applications. For example, the libreswan IKE
daemon using DNSSEC will use the system's forwarder and perform full
DNSSEC validation, without having any idea of the chain of forwarders.
It does not need to, because it is using proper DNSSEC validation.

Your proposal of using transport security implies your node can always
talk to any worldwide DNS server. That is not the case in most networks.

Paul