Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon <mellon@fugue.com> Tue, 12 February 2019 20:07 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEAEA130DBE for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:07:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZRp_gWdYlWS for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 12:07:45 -0800 (PST)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AD9912DF71 for <dnsop@ietf.org>; Tue, 12 Feb 2019 12:07:45 -0800 (PST)
Received: by mail-pf1-x432.google.com with SMTP id g6so1790377pfh.13 for <dnsop@ietf.org>; Tue, 12 Feb 2019 12:07:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fNCX4gaEkz+90TEwQLDeHx5DvuIQFJWIKzBkjNktH9o=; b=vYVjE9/03axBfXkR7aLsmqE7L2ff0FTI4LcItOpdaiCM8fpQswhOQGV/6H4t+85f4l 41l6TmrMssjsecMrt4UUJTT8kbkwFsG3KwCzydthQ3IbKfGiis7/ONl406y0e+DkKQPs f8oUN0ISkcB/fAV8EV7hAkhqfNAv8Ewa3W4oaD+fSd5L3gjozFEg+X/TfwctlqltkxZZ 58Sav2ym6mh+RwVeE4EjDrOiMyYFO+S1wsNMff6DFq+E8OUU66hmCkcxmN584haJJELZ YSiWp9CblJ7ehoqsO3hOvHAdZ/j5iHGiHxnsC8mg0ZeiH1BO4dkdXvH4JaK9sSPNu8yP rRDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fNCX4gaEkz+90TEwQLDeHx5DvuIQFJWIKzBkjNktH9o=; b=XDjavMhvJDcnkjrb7li4dlvT0dG65UIg1AcvHKKAYmCkd65UxhjUcuvbdvR/1eAa9a Yt8QGJmfOWp76rK5GJIGl3FORnzoXZyMFNZ0gxW7DilgsDL8Kn+d4lqmcsf4mOVrXhhG bQRd2bognSjvDKSgwHSCqVnhEnXW0IQgsKera9Xs7/LRDSUrsnCWNf8v3P6RibjlYnuo IDhlaxJPH4XC6OyY8oVFd5hoq09cvHh0IROtT4tm2xolbftlRMZsSvpnQ7FdZ//KDBY3 JqeCeanCixeFvvJSNtHMTIjLvxfD73IP/b3Bagc3zuylbjujJRvOm7rBg9qqEL8Q7TKm aFCg==
X-Gm-Message-State: AHQUAuZPR1cHr+nohuMx6cgVtZuN3jVq+KYH2C4kdQValTeE6YT7E4yX lr9sELn3Wic8SYQNZgTNI4h0VA==
X-Google-Smtp-Source: AHgI3IZnTEUwhZ+gAU1OdUoP/pQyQtgR6hFyvGJfKSCFNrDZ7PQZbGuA7HGprVbJPdsPwEuVVxf+RQ==
X-Received: by 2002:a63:5462:: with SMTP id e34mr4804328pgm.97.1550002064862; Tue, 12 Feb 2019 12:07:44 -0800 (PST)
Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id f62sm17844785pgc.67.2019.02.12.12.07.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 12:07:44 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_04BBCAFE-DAC5-4A3B-8D9C-C4266243EE50"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 12 Feb 2019 12:07:42 -0800
In-Reply-To: <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org>
Cc: David Conrad <drc@virtualized.org>, dnsop <dnsop@ietf.org>
To: Paul Vixie <paul@redbarn.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <D01BFEEE-746D-4F30-A3CE-497D4AFA8CC5@fugue.com> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o4FxMouwjxJktZkUNmETyLJUYZY>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 20:07:48 -0000

On Feb 12, 2019, at 11:04 AM, Paul Vixie <paul@redbarn.org>; wrote:
> actually, there are other choices.

I may have failed to communicate.   What I mean is that you said that you can detect all nefarious traffic, but you can’t detect DoH, which to you is nefarious.   What I’m saying is that there’s no such distinction, or at least if there is at present, it is a temporary situation.

Of course you have choices about what to do about this; my point is not to suggest that you do not.