Re: [DNSOP] NSA says don't use public DNS or DoH servers
Tom Pusateri <pusateri@bangj.com> Fri, 22 January 2021 02:10 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC6723A0FB2 for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 18:10:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bangj.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXzmaELp8pUn for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2021 18:10:29 -0800 (PST)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CAF3A0FAE for <dnsop@ietf.org>; Thu, 21 Jan 2021 18:10:27 -0800 (PST)
Received: from [172.16.10.190] (mta-107-13-246-59.nc.rr.com [107.13.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id CAA4D2F2FA; Thu, 21 Jan 2021 21:10:26 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bangj.com; s=201907; t=1611281427; bh=oEVSIbHzK94IoYA+0O91DiBevyiN9wOVvOXmj7WJicE=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=Wwxj9z89+j5ZdcSHokoMQFkOugRRSmllbG2WofdKPL2MuMXgO0+Fq0YxvLa80ORor jQLHLvx9L5Y0hKVSTM9Ns9jWFawjZwkYP9s9BT4XBJgBu1j8zgfinSd24LLB3F2rNa TaaurxnG+Foktf+qNISVBj7rtuv6W1pUXUbCBlMzzqyHGPPjjsye+Et+o1tLWpWXqy D1KiuBWiawP7BXrzOVDHSMYD0jvc+pGU1U8MJUYatRbHItvvDy18FOJE0PAA7Ud0PN wPYG3byLe/HjuKolDxcO/CiQZAaXXEeYPtM30wQvDt7q/2QO/oRsKRa2pkCzDDgOQK tNP8tl/Ws1J3Q==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Tom Pusateri <pusateri@bangj.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 21 Jan 2021 21:10:25 -0500
Message-Id: <2C89C47C-243F-4A42-86EE-019C8497EA47@bangj.com>
References: <20210122015902.jjuvgrxsok5ou5z3@family.redbarn.org>
Cc: dnsop@ietf.org
In-Reply-To: <20210122015902.jjuvgrxsok5ou5z3@family.redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: iPad Mail (18C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_pbwG0m0v_09FHuD5dM1I1MFDPU>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 02:10:34 -0000
> On Jan 21, 2021, at 8:59 PM, Paul Vixie <paul@redbarn.org> wrote: > > On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: >> "John Levine" <johnl@taugh.com> writes: >> >>> They think DoH is swell, but not when it bypasses security controls >>> and leaks info to random outside people >> >> At least 15% of network operators seem to agree. >> >> https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html > > i think the makers of canary-respecting DNS stub resolvers are still > figuring things out, and that if canary domains become prevalent, > especially among surveillance capitalist ISPs or surveillance > authoritarian states, the days of canary domains will change or end. > > for my own networks, i won't install a canary domain, because that's > a late-imposed change, unreliable, and a negative externality. any > stub resolver who uses any DNS service other than the one i hand out > in my DHCP assignments will be removed from the network. > > (new behaviour should require new signalling. let networks who want to > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > signal this by adding a new canary domain, or a new DHCP option. > absent new signalling, behaviour should not change.) > > -- > Paul Vixie Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Thanks, Tom
- [DNSOP] NSA says don't use public DNS or DoH serv… John Levine
- Re: [DNSOP] NSA says don't use public DNS or DoH … Wes Hardaker
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Tom Pusateri
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Vladimír Čunát
- Re: [DNSOP] NSA says don't use public DNS or DoH … Stephane Bortzmeyer
- Re: [DNSOP] NSA says don't use public DNS or DoH … Michael Richardson