Re: [DNSOP] extension of DoH to authoritative servers

"zuopeng@cnnic.cn" <zuopeng@cnnic.cn> Wed, 13 February 2019 06:03 UTC

Return-Path: <zuopeng@cnnic.cn>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B35130FFE for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 22:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VhGna8kXMwz for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 22:03:35 -0800 (PST)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 8DFDD130F30 for <dnsop@ietf.org>; Tue, 12 Feb 2019 22:03:33 -0800 (PST)
Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0B5pq0vs2NcxaUfAA--.22689S2; Wed, 13 Feb 2019 14:03:27 +0800 (CST)
Date: Wed, 13 Feb 2019 14:03:26 +0800
From: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
To: "Paul Wouters" <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
References: <2019021215560470371417@cnnic.cn>, <alpine.LRH.2.21.1902120846480.18026@bofh.nohats.ca>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 7, 166[cn]
Mime-Version: 1.0
Message-ID: <201902131403257357123@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart758607533405_=----"
X-CM-TRANSID: AQAAf0B5pq0vs2NcxaUfAA--.22689S2
X-Coremail-Antispam: 1UD129KBjvJXoWrtr1xAw4rur17Ww4fury3urg_yoW8JF1fpF WxtF45Cr4DWF4fGwn7Xw18u34rZry5J3yUGwn0yry0yay5JFyvgr1xta15u347Ww1Y9r4a vr4j9FyxWa15AaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUB0b7Iv0xC_Kw4lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG6xAI xVCFxsxG0wAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6x CaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4xvF2IEb7IF0Fy264kE64k0F24lFcxC 0VAYjxAxZF0Ex2IqxwCY02Avz4vE14v_GF1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x 0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2 zVAF1VAY17CE14v26r1Y6r17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF 4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j 6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_Gr1l6V ACY4xI67k04243AbIYCTnIWIevJa73UjIFyTuYvjxUyrgADUUUU
X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ss8feHZLyhhDgnxsTpt5lQR0PeA>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 06:03:38 -0000

that's ture. but in my view, if the trust chain is built, we can ensure a resolver(or a cache) is always talking to a identified server and the channel is always secure, then the content could not be tampered.



zuopeng@cnnic.cn
 
From: Paul Wouters
Date: 2019-02-12 22:07
To: zuopeng@cnnic.cn
CC: dnsop
Subject: Re: [DNSOP] extension of DoH to authoritative servers
On Tue, 12 Feb 2019, zuopeng@cnnic.cn wrote:
 
>    In this way, the whole DNS is built on HTTPS which makes DNS more secure. DNSSEC is not necessary anymore and many other
>                                        problems like fragmentation also will not exist.
 
This idea is similar to DNScurve. The problem is that channel security
does not help when you have an infrastructure of DNS caches, as nothing
in the cache can be used to validate the content.
 
djb's solution to this problem was to obsolete the cache, and at the CCC
conference he then threw around numbers that "claimed" caching is not
working or needed, and was proven wrong by me showing some cache
percentages of real DNS servers.
 
DNSSEC provides origin protection, and digital signatures are needed,
which TLS does not offer.
 
Paul
 
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop