Re: [DNSOP] extension of DoH to authoritative servers

David Conrad <drc@virtualized.org> Tue, 12 February 2019 18:14 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1113129A87 for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 10:14:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5McvUFtHsRgo for <dnsop@ietfa.amsl.com>; Tue, 12 Feb 2019 10:14:22 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA834127287 for <dnsop@ietf.org>; Tue, 12 Feb 2019 10:14:22 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id w7so1600625pgp.13 for <dnsop@ietf.org>; Tue, 12 Feb 2019 10:14:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=bKS2ljRhH4LHbbN0fYNvhgcBHgahtJeAMv9cD/QCpRc=; b=Sdsk++/eGG+0qL6glk/CHfbrvf9MRx8kVyK/lttsNTQMYkEjq0k2Ex9t8xjJSE2uT/ 5Fsk2YfdsdCO9L7euJwpbs7NE0RMiCf+5sQCJfxuI36kE+QhNrx8UHY7Ygypbo5Q3dRX ge+fGmdMQJG8zyaohCiJ4AgpdcLxmSsIH6WiQ9Rk0rysCkmtvAxqit/gvisJPIOSk2aG Q1OQARLyK0l1ORC23PFNgmzou3DabhzDCW56g9otMBAk9VJUgb/WINnz4O4Q8vmy+nmn eDO+nyo11+F9tbYo+YriLLuwxgKhi3C/5xMUR+3NupCnUsuoSdCETN4Xu65Mow693w7L qWdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=bKS2ljRhH4LHbbN0fYNvhgcBHgahtJeAMv9cD/QCpRc=; b=d7LuxiiPCNkCMp6OHXAG0/D8YnAJrNpsoHBXpaMaAk+fE7l634wMm+1XeiNTQLyv+Z tL0Xd7amulpnh8pXCrOmgD/aSdAvqPwNLf9E/n8uvSDcYvd+eQM2LtfyHFW87sXW10cZ iLK5LRM3umasBmdmDRi6pffbOGFxAyphaLbsbsXZ98vjA5zsFOd50NBcoFq07kHrPQ83 UaXo1sNlWY4KUoHzXMgIDzTYIhbXNXmHlTysROcIGy/MDPr30SQfxoZAnhhDtI9cJVP+ 4Zz6nFSVPQm3dk6zFVihUIo0UigYq8r3FXWtSQ566MJvLCpfPyy3VZjtmU6T5WKluRHl +dBg==
X-Gm-Message-State: AHQUAuZSTTUNTicUwvNrMQuL5fjj6gX+zGcSrf9CSDeAdyN54aqK9Vau efgkGh7sj1wjie8O0P7zobK7w1rZg6k=
X-Google-Smtp-Source: AHgI3IZZgnp+67hnNjKF/iMKPQMkcLpl+P8R/HF7KfrCxBlI+oP1ACmv3SGM4GYnnXZZfRP4eJaFcg==
X-Received: by 2002:a63:100c:: with SMTP id f12mr4810335pgl.324.1549995262198; Tue, 12 Feb 2019 10:14:22 -0800 (PST)
Received: from [10.96.20.91] (35-2.lax.icann.org. [192.0.35.2]) by smtp.gmail.com with ESMTPSA id g20sm25207562pfg.85.2019.02.12.10.14.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:14:20 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_9C9FDF3F-BDD5-4662-A400-D399904DF235"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org>
Date: Tue, 12 Feb 2019 10:14:19 -0800
Cc: dnsop <dnsop@ietf.org>
X-Mailbutler-Message-Id: 03D8870B-6E7A-48D8-987D-1473CCFE2B08
Message-Id: <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org>
References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <ecfdb33d-7925-f762-6788-68b7a659a3d8@redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ukGjvyq1jTOYK4m6_vsnL6BHbk8>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 18:14:25 -0000

Paul,

On Feb 12, 2019, at 8:32 AM, Paul Vixie <paul@redbarn.org>; wrote:
> DoH is _dangerous_ because it's my network and i require all visitors, family members, employees, and apps to use the control plane i have constructed, which includes DNS surveillance and control.

Why don’t you force folks on your network to install a certificate that would allow you to inspect TCP/443 outbound traffic?  How can you be sure folks on your network aren’t already tunneling their evil deeds through HTTPS?

Thanks,
-drc