Re: [DNSOP] extension of DoH to authoritative servers

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 14 February 2019 09:12 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF0113115A for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 01:12:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ghcjqts0gN5i for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 01:12:37 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC34B13115C for <dnsop@ietf.org>; Thu, 14 Feb 2019 01:12:37 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 0EF50280421; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 088B72803B9; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 050EF642C581; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id F082A4010D; Thu, 14 Feb 2019 10:12:35 +0100 (CET)
Date: Thu, 14 Feb 2019 10:12:35 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Cc: Jim Reid <jim@rfc1035.com>, dnsop <dnsop@ietf.org>
Message-ID: <20190214091235.jnu4udt7qlrlxm7f@nic.fr>
References: <2019021215560470371417@cnnic.cn> <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <212516D2-110D-45DD-B77B-46FD2BA6FECA@rfc1035.com> <2019021416313510438520@cnnic.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2019021416313510438520@cnnic.cn>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZfEmB9muvDxwyii9x93SHcD9hrM>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 09:12:40 -0000

On Thu, Feb 14, 2019 at 04:31:35PM +0800,
 zuopeng@cnnic.cn <zuopeng@cnnic.cn>; wrote 
 a message of 74 lines which said:

> > for instance a DoH or DoT server that intentionally or
> > accidentally returns false data. DNSSEC can counter that.
>  
>  I dont understand why.
>  If a server intentionally returns false data , it can fake anything
>  because it owns the private key, DNSSEC does not help either.

So, you seem to not understand DNSSEC very well. I suggest you read
RFC 4033 and following. Summary: DNSSEC is designed so that the server
does not need the private key.

Also, "server" means two VERY different things in the DNS, resolvers
and authoritative. DNSSEC protects also against a lying intermediary
resolver.