Re: [DNSOP] NSA says don't use public DNS or DoH servers
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Fri, 22 January 2021 08:30 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C982C3A1105 for <dnsop@ietfa.amsl.com>; Fri, 22 Jan 2021 00:30:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.162
X-Spam-Level:
X-Spam-Status: No, score=-2.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeKT_AENRfXa for <dnsop@ietfa.amsl.com>; Fri, 22 Jan 2021 00:30:34 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154E63A104C for <dnsop@ietf.org>; Fri, 22 Jan 2021 00:30:33 -0800 (PST)
Received: from [IPv6:2a02:768:2d1c:226::a2e] (unknown [IPv6:2a02:768:2d1c:226::a2e]) by mail.nic.cz (Postfix) with ESMTPSA id 9DFE6142133 for <dnsop@ietf.org>; Fri, 22 Jan 2021 09:30:30 +0100 (CET)
To: dnsop@ietf.org
References: <20210122015902.jjuvgrxsok5ou5z3@family.redbarn.org> <2C89C47C-243F-4A42-86EE-019C8497EA47@bangj.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Message-ID: <a773ff69-feba-fcde-f332-21c2de547604@nic.cz>
Date: Fri, 22 Jan 2021 09:30:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <2C89C47C-243F-4A42-86EE-019C8497EA47@bangj.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lC3yA549ioxMZ6hQFbPrDPg6yHY>
Subject: Re: [DNSOP] NSA says don't use public DNS or DoH servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 08:30:36 -0000
On 1/22/21 3:10 AM, Tom Pusateri wrote: > Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Another missing part is privacy, i.e. even if you get exactly the same answers, it doesn't imply you get similar (privacy) properties. By the way, the add WG is now trying hard to define what it means for two resolver services to be "equivalent" - at least for the purpose of being OK to switch among them without user's consent. --Vladimir
- [DNSOP] NSA says don't use public DNS or DoH serv… John Levine
- Re: [DNSOP] NSA says don't use public DNS or DoH … Wes Hardaker
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Tom Pusateri
- Re: [DNSOP] NSA says don't use public DNS or DoH … Paul Vixie
- Re: [DNSOP] NSA says don't use public DNS or DoH … Vladimír Čunát
- Re: [DNSOP] NSA says don't use public DNS or DoH … Stephane Bortzmeyer
- Re: [DNSOP] NSA says don't use public DNS or DoH … Michael Richardson