Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <paul@redbarn.org> Sun, 19 August 2018 00:38 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E49130F74 for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 17:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFrVcc_JAM3r for <dnsop@ietfa.amsl.com>; Sat, 18 Aug 2018 17:38:37 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0732A130FA2 for <dnsop@ietf.org>; Sat, 18 Aug 2018 17:38:37 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 7A93C892C7; Sun, 19 Aug 2018 00:38:36 +0000 (UTC)
Message-ID: <5B78BC0B.6020605@redbarn.org>
Date: Sat, 18 Aug 2018 17:38:35 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: bert hubert <bert.hubert@powerdns.com>
CC: Ted Lemon <mellon@fugue.com>, dnsop <dnsop@ietf.org>, =?windows-1252?Q?Marek_Vavru=9Aa?= <mvavrusa=40cloudflare.com@dmarc.ietf.org>
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <5B7893C9.7000703@redbarn.org> <CAPt1N1nj=g0nOsgHNvCosBg2va9pj228hKArpsukAzQ3jtX-gw@mail.gmail.com> <20180818232106.GB32131@server.ds9a.nl>
In-Reply-To: <20180818232106.GB32131@server.ds9a.nl>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rzL97JrS0a8Foy-OXCTJTViF5dM>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 00:38:46 -0000


bert hubert wrote:
> On Sat, Aug 18, 2018 at 07:12:57PM -0400, Ted Lemon wrote:
>> How will you block it?
>
> So just to make this a bit more colorful, DoH allows servers to push
> unsollicited DNS responses, which the browser is then free to put in its DNS
> cache.
>
> This allows the DoH endpoint to hop around at will, or even have a whole
> stash of IP addresses ready as alternates.

perhaps the thought is that this will cause corporate security 
operators, and the great firewall of china's operator, to just say oh 
what the heck we've lost that war let's just let it happen.

if so, that thought signals derangement on the part of the thinker.

-- 
P Vixie