IETF Logo Mail Archive

Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Eric Rescorla <ekr@rtfm.com> Tue, 19 March 2019 21:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0982912B001 for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 14:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsokUoeaEpKa for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 14:24:43 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 112A81274D0 for <doh@ietf.org>; Tue, 19 Mar 2019 14:24:43 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id u2so267955lfd.4 for <doh@ietf.org>; Tue, 19 Mar 2019 14:24:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6VxRlAZB+9uoRO4zhs2ktzcoCqrHbg1mslzaEs4ok0o=; b=SJZGt/XSjeceLb862jUCbTFhBLY22Buk+8TsG49VP9sdvW1uLUpdtwDoDyt6f9yRAB DllEXPupaUIUHEbBPBPOiBj6epjQwaR2bhjSvDusCiCfEMjqeAaI6mlVN0DuhaTm5EKb eDM067Al2NVP699Pq2IgtNp4iUvP/0/0QHSoZ8A6YRYGyBFEgwcQLYh7zLF6pWsfGcIs NP0N/jsthdFK5VHhdvhctLMoSx0Ja10uxgo28vyacrr4+jclXLtlZPUX7F7AtmhjDF7c QP/41WJPP5KvLvCG4T57elM0cKMzZItpYG/Lwz+eq1cuzUBmH9+kSTUADz3oiPzcwvuh faQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6VxRlAZB+9uoRO4zhs2ktzcoCqrHbg1mslzaEs4ok0o=; b=PE8O//vc7+YOyybjrBKkB2j81StVqxWVEo2LUrm7LIl0niyYDix10M0cke4sA4B9Np oeD1HVqoFEclQWwYz5QrNS162R1bAV5IYTVUQNKxaoHhGjSmL5CeXP+iQBv6aPb3UVod enDHph8CZWaE+GMuDAgItAPVCqtjOMK5Er+kFqq44Bql4DhWdArEJeQftJrGJuXxz/Kj sja2TGcV6sS2vuPTZiY2c88LuhcfVQIj6lZHptY+XwOQ4DtoXRbCViUpZszB4KbuhHFj +04Q5zP9T/WktcNOJgtEfhX64/dYCZmyuxzXzxzEQ7o1fZHthSu9Mt7AaqVcHzXGT8pc 17uQ==
X-Gm-Message-State: APjAAAUigm8hQ0M2mtKDcO5fPZxncC6k+XjA6zokASRjsgRA+B289Chw KjXaghNz7IVLOnrzH2CBSv1R+y2Zg0zfhgz7iSZFEPIA
X-Google-Smtp-Source: APXvYqyre3utR7Y9NcPaLevPksI/q4BAtryGu8nTDIgdBXQjEDgmkWibL1ol3YW/YsuW4k7NZZmDzX1DZzYhUX1aqgs=
X-Received: by 2002:ac2:518b:: with SMTP id u11mr2641325lfi.123.1553030681286; Tue, 19 Mar 2019 14:24:41 -0700 (PDT)
MIME-Version: 1.0
References: <155218771419.28706.1428072426137578566.idtracker@ietfa.amsl.com> <1914607.BasjITR8KA@linux-9daj> <CA+9kkMAYR19CCCLN00A5Oy_=9Z97FQogCz-vdC=M7Ffn47fTgQ@mail.gmail.com> <1900056.F7IrilhNgi@linux-9daj> <CA+9kkMCgmzjbPM+DTUYuS3OsT+wOCmsyaGPg6fPu=w-ibL=NrA@mail.gmail.com> <CAAiTEH_umx5Xqa24TywQ_BX_Lpo6piwRWPLWhADkh-PnM20vcg@mail.gmail.com> <CA+9kkMBXgPHmLRV44Qen_xm1G+Xerb5WJ0JvL11U3XayVgTHfA@mail.gmail.com> <b5f4a266-b6ef-463b-9ecd-8964ca3d20a2@www.fastmail.com>
In-Reply-To: <b5f4a266-b6ef-463b-9ecd-8964ca3d20a2@www.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 Mar 2019 14:24:04 -0700
Message-ID: <CABcZeBOPYU0ZaPG6u4CMrRz4hXqpAEPUDNHJSCTyapHBzk7sNg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000015744505847922ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/sAJtwRUm3IbvfwHrPljlCEUd_A0>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 21:24:45 -0000

On Tue, Mar 19, 2019 at 1:33 PM Martin Thomson <mt@lowentropy.net> wrote:

> I agree with Ted.
>
> On Wed, Mar 20, 2019, at 04:46, Ted Hardie wrote:
> > My apologies if I have misunderstood your point
> > here, but unless you also block all traffic for which you have seen no
> > resolution event, I believe that it is entirely possible to circumvent
> > the defense you describe.
>
> The problem with blocking packets that can't be traced to a resolution
> event is that you need to catch all the resolution events. DNS doesn't have
> a monopoly on address resolution - I mean, that's the whole point of this
> discussion, isn't it?
>

Even ignoring that, consider, for instance ICE.

-Ekr


> Yes, there are a great many protocols that include a DNS query before
> every communication attempt, but not all.  If you are comfortable breaking
> or degrading all the other protocols, this is I guess an OK strategy.  I
> personally wouldn't call the thing that you get out the other end
> "Internet".  Of course, people routinely make that claim with only TCP
> ports 80 and 443 open.
>
> > browsers treated all downloaded
> > JavaScript applications as potentially malign.
>
> Nicely understated.  Spend any amount of time on this problem and the word
> "potentially" just fades away.
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>

v2.23.0 | Report a Bug | By Email