Re: [DNSOP] extension of DoH to authoritative servers

Paul Vixie <paul@redbarn.org> Tue, 12 February 2019 16:32 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8D1292F1 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 08:32:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eivkUOVoTUDC for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 08:32:29 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0723012DF71 for <dnsop@ietf.org>; Tue, 12 Feb 2019 08:32:28 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:ec14:138:d007:b4de] (unknown [IPv6:2001:559:8000:c9:ec14:138:d007:b4de]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 62732892C6; Tue, 12 Feb 2019 16:32:27 +0000 (UTC)
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>, dnsop <dnsop@ietf.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org>
Date: Tue, 12 Feb 2019 08:32:28 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <20190212083908.w5cwgtmypkjwmqnd@nic.fr>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eCzDhGZzO-ikCO-FRWiTqvnfvC8>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 16:32:31 -0000


Stephane Bortzmeyer wrote on 2019-02-12 00:39:
> On Tue, Feb 12, 2019 at 03:56:04PM +0800,
>   zuopeng@cnnic.cn <zuopeng@cnnic.cn>; wrote
>   a message of 546 lines which said:
> 
>> I am considering extending the DoH protocal to authoritative
>> servers.
> 
> Why DoH and not DoT? ...

well, yes, but...

> DoH is useful because 1) port 853 may be blocked
> at the edge of the network 

DoH is _dangerous_ because it's my network and i require all visitors, 
family members, employees, and apps to use the control plane i have 
constructed, which includes DNS surveillance and control. thanks to DoH, 
i will have to add a WAF, or require SOCKS, for all outbound TCP/443 to 
the cloudflare, google, and other so-called "public" dns services. i am 
nowhere near ready to allow cloudflare and apnic and the others to build 
their own private DNS relationship with my endpoints, bypassing parental 
controls, bypassing corporate security policy.

DoT should be preferred precisely because it _can_ be blocked by the 
network operator. if someone insists on not talking to my DNS servers, 
they can take their device elsewhere. this is especially vital for IoT, 
whose makers will never be profitable other than from data they collect.

> 2) applications running in a Web browser
> may need DNS data. ...
i expect those apps to make normal UDP/53, TCP/53, or TCP/853 requests 
from the designated DNS servers i operate as part of my control plane. 
any attempt to speak DoH from my networks will be treated as an attack.

-- 
P Vixie