Re: [Doh] Servers offering responses for domaines they are not responsible for

Mark Nottingham <mnot@mnot.net> Mon, 06 November 2017 00:16 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2C113FB05 for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 16:16:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=qRJhTowx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=lEvZLEfY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id np8hs05Qrrhs for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 16:16:01 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA2B13F979 for <doh@ietf.org>; Sun, 5 Nov 2017 16:16:01 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 08A65205E1; Sun, 5 Nov 2017 19:16:01 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Sun, 05 Nov 2017 19:16:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=M/fnXvYfPuiCcMIVJICcf2VIXrdKN VPY73DaAwgAk+s=; b=qRJhTowxOFbsOrectk47IMMg4YM7A69XQFI1sqDgeE4xV sLA2hHuCZgH2UdRt+52RzsSJViPPipUme0ki6KfOxhDK7szmxrRKNhifGCL1BhvO +Kk8hAbcCPdw4KNFkyABc1P7ZPa9qJKeZ0vsRnjtnhjUlguRXROBhh5xSBlSPG/8 7wTcDY9RoUwv76JBwV4Cw82557KwFOVtRYt/5ht6bPPvsL85Ln1vG2+XRmdcm6AH wybP7OQXRbvFkUgMaOKHux1oKAi43GXsA+R8udcLwUztj/UjmSrOCmbDoFfnn5y8 kNlanxg1/HoVHToyb+4GmLG00qDje+aJBs09PfhTw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=M/fnXv YfPuiCcMIVJICcf2VIXrdKNVPY73DaAwgAk+s=; b=lEvZLEfYhWgfZqCJsVl5xG vJksZXdGHq9YqF++SyOq45cVEzdVCiKVLqFLZKUmgeLINAuHz1VgZJSu3uc27Y5w EiOsTSWedHzIoc/+w+LOM+BZlq9iWXZ0kGL0c4i+Tna4D49d5geNoRPoAl4rUSBk DrIcTBc69bnzM50lJeSogruNYBCP3B90wK+eox1j4xemcE+Zlo14eDjSHhZfdDr6 1wz1gDIOkoCOBcJvFGv+Dgje40x8+d00JbG91RT3+J+RLmA8kjKvVtCkUaj5SSQu iWGh88CIj9xL3MDg+5psTVGtoipIE6jAxfAj2YjD9PkO7jdIufE6OQpjuARBf7Sg ==
X-ME-Sender: <xms:wKn_WaLYY40W8V38_lcAW6HmY0T7exsxtYpPHtK0bvJNbl8rmQHSFw>
Received: from frankexeofviews.lan (dtf2586697.lnk.telstra.net [149.135.121.88]) by mail.messagingengine.com (Postfix) with ESMTPA id E55A2248BA; Sun, 5 Nov 2017 19:15:59 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.6\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <16B93F04-FE24-4C61-94F3-87EF7707F10E@vpnc.org>
Date: Mon, 6 Nov 2017 11:15:56 +1100
Cc: doh@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <E304CB00-95E6-4868-B3C4-FDF4049F6492@mnot.net>
References: <16B93F04-FE24-4C61-94F3-87EF7707F10E@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3445.1.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/8dlz0rgPSdP5ugq2UDDUwws60kk>
Subject: Re: [Doh] Servers offering responses for domaines they are not responsible for
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 00:16:03 -0000

I'd think the remedy here would be RFC7871 (EDNS client subnet) support.

Cheers,


> On 6 Nov 2017, at 2:47 am, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> On 5 Nov 2017, at 0:30, Eliot Lear wrote:
> 
>>  * When an HTTP server offers this service for domains it is not
>>    responsible for, it has the potential to impact DNS-based load
>>    balancing by masking the IP address of the sender and substituting
>>    its own.  The remedy here is that any service offering DoH should
>>    sufficiently distributed as to minimize such an impact.
> 
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh

--
Mark Nottingham   https://www.mnot.net/