Re: [DNSOP] extension of DoH to authoritative servers
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 14 February 2019 09:12 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF0113115A for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 01:12:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ghcjqts0gN5i for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 01:12:37 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC34B13115C for <dnsop@ietf.org>; Thu, 14 Feb 2019 01:12:37 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 0EF50280421; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 088B72803B9; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 050EF642C581; Thu, 14 Feb 2019 10:12:36 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id F082A4010D; Thu, 14 Feb 2019 10:12:35 +0100 (CET)
Date: Thu, 14 Feb 2019 10:12:35 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Cc: Jim Reid <jim@rfc1035.com>, dnsop <dnsop@ietf.org>
Message-ID: <20190214091235.jnu4udt7qlrlxm7f@nic.fr>
References: <2019021215560470371417@cnnic.cn> <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <212516D2-110D-45DD-B77B-46FD2BA6FECA@rfc1035.com> <2019021416313510438520@cnnic.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2019021416313510438520@cnnic.cn>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZfEmB9muvDxwyii9x93SHcD9hrM>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 09:12:40 -0000
On Thu, Feb 14, 2019 at 04:31:35PM +0800, zuopeng@cnnic.cn <zuopeng@cnnic.cn> wrote a message of 74 lines which said: > > for instance a DoH or DoT server that intentionally or > > accidentally returns false data. DNSSEC can counter that. > > I dont understand why. > If a server intentionally returns false data , it can fake anything > because it owns the private key, DNSSEC does not help either. So, you seem to not understand DNSSEC very well. I suggest you read RFC 4033 and following. Summary: DNSSEC is designed so that the server does not need the private key. Also, "server" means two VERY different things in the DNS, resolvers and authoritative. DNSSEC protects also against a lying intermediary resolver.
- [DNSOP] extension of DoH to authoritative servers zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jeremy Rand
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Joe Abley
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Patrik Fältström
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Benno Overeinder
- Re: [DNSOP] extension of DoH to authoritative ser… Vittorio Bertola
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- [DNSOP] DoH vs DoT vs network operators, and requ… Brian Dickson
- Re: [DNSOP] DoH vs DoT vs network operators, and … Warren Kumari
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- [DNSOP] Multiplexing DNS & HTTP over TLS (was: ex… Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Vladimír Čunát
- Re: [DNSOP] extension of DoH to authoritative ser… Bjørn Mork
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was… Joe Abley
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Klaus Malorny
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Tony Finch
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS John Levine
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Warren Kumari