Re: [DNSOP] extension of DoH to authoritative servers

As we discussed during the interim dprive meeting held last December, we need more empirical studies looking at performance as well as attack vectors. I’m aware of Sinodun’s efforts in this area but are there others that address performance and attack vectors specifically for both DoT and DoH

Re: [DNSOP] extension of DoH to authoritative servers

Bjørn Mork wrote: > > My understanding of the reference to BCP195 from > https://tools.ietf.org/html/rfc7858#section-3.2 > is that SNI support is required for all DoT implementations. > > It's simple to do with haproxy at least: >

Re: [DNSOP] extension of DoH to authoritative servers

Vladimír Čunát writes: > You can still multiplex based on SNI sent by the client.  HTTPS clients > surely send it commonly.  DoT clients perhaps not so often, but that's > just an implementation detail (which I was fixing in the past few weeks > in knot-resolver, incidentally). My understanding

Re: [DNSOP] extension of DoH to authoritative servers

On 2/14/19 9:05 AM, Stephane Bortzmeyer wrote: >> Technically you can run DoT on whatever port you like. >> >> Example: with knot-resolver it's easy - you just add @443, either on >> side of server and/or on the side of forwarding over TLS. > The problem is that you cannot then share this port

Re: [DNSOP] extension of DoH to authoritative servers

> On 14 Feb 2019, at 08:58, zuop...@cnnic.cn wrote: > > the premise is the recursive server should completely trust an Authenticated > server You’ve already made that clear. The problem with that premise is it’s a false one. It represents a naive/unrealistic view of how the DNS is used.

Re: [DNSOP] extension of DoH to authoritative servers

On Thu, Feb 14, 2019 at 04:58:38PM +0800, zuop...@cnnic.cn wrote a message of 126 lines which said: > if an DNSSEC_enabled authotative server(no matter it is Alice or > Bob) is evil and modifies DNS records, it will succeed because it > has private key It is completely false. (You seem to

Re: [DNSOP] extension of DoH to authoritative servers

On Thu, Feb 14, 2019 at 04:31:35PM +0800, zuop...@cnnic.cn wrote a message of 74 lines which said: > > for instance a DoH or DoT server that intentionally or > > accidentally returns false data. DNSSEC can counter that. > > I dont understand why. > If a server intentionally returns false

Re: [DNSOP] extension of DoH to authoritative servers

On Thu, Feb 14, 2019 at 04:11:20PM +0800, zuop...@cnnic.cn wrote a message of 102 lines which said: > No. i might did not explain it clearly. It was clear but you repeat the same stuff, without taking into account the remarks (or the existing documents, such as

Re: [DNSOP] extension of DoH to authoritative servers

Re: [DNSOP] extension of DoH to authoritative servers On Thu, Feb 14, 2019 at 02:36:14PM +0800, zuop...@cnnic.cn wrote a message of 86 lines which said: > i think both DNSSEC and DoH(or DoT) can protect DNS data, "Protect" is like "security", a word so vague, which includes

Re: [DNSOP] extension of DoH to authoritative servers

On Thu, Feb 14, 2019 at 02:36:14PM +0800, zuop...@cnnic.cn wrote a message of 86 lines which said: > i think both DNSSEC and DoH(or DoT) can protect DNS data, "Protect" is like "security", a word so vague, which includes so many different (and sometimes contradictory) services that it is

Re: [DNSOP] extension of DoH to authoritative servers

> for instance a DoH or DoT server that intentionally or accidentally returns > false data. DNSSEC can counter that. I dont understand why. If a server intentionally returns false data , it can fake anything because it owns the private key, DNSSEC does not help either. > Indeed. That’s

Re: [DNSOP] extension of DoH to authoritative servers

On Wed, Feb 13, 2019 at 10:51:00PM +0100, Vladimír Čunát wrote a message of 118 lines which said: > Technically you can run DoT on whatever port you like. > Example: with knot-resolver it's easy - you just add @443, either on > side of server and/or on the side of forwarding over TLS. The

Re: [DNSOP] extension of DoH to authoritative servers

On 14 Feb 2019, at 06:36, zuop...@cnnic.cn wrote: > > i think both DNSSEC and DoH(or DoT) can protect DNS data It depends on your definition of “protect”. For some threats/attacks, DoH or DoT by themselves can’t protect DNS data - for instance a DoH or DoT server that intentionally or

Re: [DNSOP] extension of DoH to authoritative servers

On Thu, 14 Feb 2019, zuop...@cnnic.cn wrote: This idea is just a sketch model and provides another option for DNS security  and privacy. Transiting trust is hard but may be accomplished in the future. T he deployment of DNSSEC also takes a long time and is still in progress.  No. It simply

Re: [DNSOP] extension of DoH to authoritative servers

nnic.cn CC: dnsop; Paul Wouters Subject: Re: [DNSOP] extension of DoH to authoritative servers On Wed, Feb 13, 2019 at 02:03:26PM +0800, zuop...@cnnic.cn wrote a message of 103 lines which said: > that's ture. but in my view, if the trust chain is built, we can > ensure a resolver(or a

Re: [DNSOP] extension of DoH to authoritative servers

On 2/13/19 10:45 PM, Henderson, Karl wrote: > > Couldn’t DoT also run over port 443 just like DOH -– similar to what’s > been proposed in this > draft?: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ > Technically you can run DoT on whatever port you like.  I believe the port

Re: [DNSOP] extension of DoH to authoritative servers

Couldn’t DoT also run over port 443 just like DOH -– similar to what’s been proposed in this draft?: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 10:03 PM, zuop...@cnnic.cn wrote: > that's ture. but in my view, if the trust chain is built, we can ensure a > resolver(or a cache) is always talking to a identified server and the channel > is always secure, then the content could not be tampered. Your model of how the DNS

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 03:32:37PM -0800, Paul Vixie wrote a message of 75 lines which said: > by putting that text in and leaving it in, this becomes a political > project not a technical one. Everything we do is political, the Internet itself is a political project. Thinking that

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 02:45:54PM -0800, Paul Vixie wrote a message of 21 lines which said: > i remember a time when the IAB would have said "no" to an internet > standard which mandated deliberate loss of control by network > operators. Giving the many attacks against network neutrality,

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 02:18:39PM -0800, Paul Vixie wrote a message of 20 lines which said: > > Right.   So what’s to stop other malicious traffic from doing the > > same thing? > > lack of an IETF-approved standard with planned implementation by a > half dozen tech giants, means that other

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 01:48:36PM -0800, Paul Vixie wrote a message of 46 lines which said: > increased for political reasons. There is nothing wrong with political reasons. Mass surveillance is a political problem (privacy). DNS lies by ISPs is a political problem (network neutrality). It

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 10:34:19AM -0800, Paul Vixie wrote a message of 15 lines which said: > > How can you be sure folks on your network aren’t already tunneling > > their evil deeds through HTTPS? > > netflow. such traffic _looks_ abnormal. > > the deliberate design premise of DoH is

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 10:14:19AM -0800, David Conrad wrote a message of 100 lines which said: > Why don’t you force folks on your network to install a certificate > that would allow you to inspect TCP/443 outbound traffic? There are probably many connected things where this is not

Re: [DNSOP] extension of DoH to authoritative servers

On Wed, Feb 13, 2019 at 02:03:26PM +0800, zuop...@cnnic.cn wrote a message of 103 lines which said: > that's ture. but in my view, if the trust chain is built, we can > ensure a resolver(or a cache) is always talking to a identified > server and the channel is always secure, then the content

Re: [DNSOP] extension of DoH to authoritative servers

On Wed, Feb 13, 2019 at 02:08:19PM +0800, zuop...@cnnic.cn wrote a message of 58 lines which said: > i prefer DoH because it can identify a server we are talking to and the > content is encrypted. To learn about DoT, I suggest you read RFC 7858.

Re: [DNSOP] extension of DoH to authoritative servers

On 2/13/19 7:08 AM, zuop...@cnnic.cn wrote: > i prefer DoH because it can identify a server we are talking to and > the content is encrypted. These two points are the same with DoT.  (encryption and SNI) ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] extension of DoH to authoritative servers

> Il 12 febbraio 2019 alle 22.00 Ted Lemon ha scritto: > > What I am trying to point out is that the situation with DoH is a symptom of > the problem you are not talking about, not the only instance of it. > You seem to be asserting that DoH is special among all other misuses of port > 443.

Re: [DNSOP] extension of DoH to authoritative servers

On 12/02/2019 09:34, Stephane Bortzmeyer wrote: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuop...@cnnic.cn wrote > a message of 546 lines which said: > >> DNSSEC is not necessary anymore > > This is clearly false. DoH provides _channel security_ DNSSEC provides > _content security_ (or

Re: [DNSOP] extension of DoH to authoritative servers

i prefer DoH because it can identify a server we are talking to and the content is encrypted. zuop...@cnnic.cn From: Stephane Bortzmeyer Date: 2019-02-12 16:39 To: zuop...@cnnic.cn CC: dnsop Subject: Re: extension of DoH to authoritative servers On Tue, Feb 12, 2019 at 03:56:04PM +0800,

Re: [DNSOP] extension of DoH to authoritative servers

CC: dnsop Subject: Re: [DNSOP] extension of DoH to authoritative servers On Tue, 12 Feb 2019, zuop...@cnnic.cn wrote: >In this way, the whole DNS is built on HTTPS which makes DNS more secure. > DNSSEC is not necessary anymore and many other >

Re: [DNSOP] extension of DoH to authoritative servers

David Conrad wrote on 2019-02-12 15:10: You missed my point. The IETF declared NATs heretical and as a result, a zillion people did it in a zillion different ways, creating a huge mess. i remember this. and i agree. had IAB said "this specification is inadequate, let's get firewall

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 3:03 PM, Paul Vixie wrote: > David Conrad wrote on 2019-02-12 14:58: >>> lack of an IETF-approved standard with planned implementation by a half >>> dozen tech giants, >> And that worked so well with NAT. > network operators had a choice whether to deploy NAT. You missed my

Re: [DNSOP] extension of DoH to authoritative servers

David Conrad wrote on 2019-02-12 14:58: lack of an IETF-approved standard with planned implementation by a half dozen tech giants, And that worked so well with NAT. network operators had a choice whether to deploy NAT. i'd like the same level of freedom when it comes to how DNS is

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 2:18 PM, Paul Vixie wrote: > Ted Lemon wrote on 2019-02-12 14:08: >> On Feb 12, 2019, at 1:48 PM, Paul Vixie > > >> wrote: >>> DoH _specifically_ evades this, by looking as much as possible like

Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon wrote on 2019-02-12 14:20: ... So you’re saying that DoH traffic that’s not going to well-known IP addresses is easier to detect than DoH traffic going to well-known IP addresses? yes, that's what i've been trying to say. if CF only publishes DoH content on 1.0.0.0/23, then i

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 2:18 PM, Paul Vixie wrote: > lack of an IETF-approved standard with planned implementation by a half dozen > tech giants, means that other malicious traffic will not be able to hide in > the crowd, and can be made subject to policy, and complaints. So you’re saying that DoH

Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon wrote on 2019-02-12 14:08: On Feb 12, 2019, at 1:48 PM, Paul Vixie > wrote: DoH _specifically_ evades this, by looking as much as possible like other traffic to IP addresses shared by a lot of existing traffic. Right.   So what’s to stop other malicious

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 1:48 PM, Paul Vixie wrote: > DoH _specifically_ evades this, by looking as much as possible like other > traffic to IP addresses shared by a lot of existing traffic. Right. So what’s to stop other malicious traffic from doing the same thing? IOW, you seem to want DoH to

Re: [DNSOP] extension of DoH to authoritative servers

On 12 Feb 2019, at 21:48, Paul Vixie wrote: > whether the situation turns out to be temporary or not is important to your > final argument. probably you shouldn't go there so soon. spammers also > believe that network operators should not be able to control their own > networks, and malware

Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon wrote on 2019-02-12 12:07: On Feb 12, 2019, at 11:04 AM, Paul Vixie > wrote: actually, there are other choices. I may have failed to communicate.   What I mean is that you said that you can detect all nefarious traffic, but you can’t detect DoH, which to

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 11:04 AM, Paul Vixie wrote: > actually, there are other choices. I may have failed to communicate. What I mean is that you said that you can detect all nefarious traffic, but you can’t detect DoH, which to you is nefarious. What I’m saying is that there’s no such

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 08:32:28AM -0800, Paul Vixie wrote a message of 39 lines which said: > i require all visitors, family members, employees, and apps to use > the control plane i have constructed, which includes DNS > surveillance and control. Reminds me of a sentence which is awfully

Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon wrote on 2019-02-12 10:44: On Feb 12, 2019, at 10:34 AM, Paul Vixie > wrote: netflow. such traffic _looks_ abnormal. the deliberate design premise of DoH is that it look normal. It’s either one or the other. actually, there are other choices. -- P Vixie

Re: [DNSOP] extension of DoH to authoritative servers

On Feb 12, 2019, at 10:34 AM, Paul Vixie wrote: > netflow. such traffic _looks_ abnormal. > > the deliberate design premise of DoH is that it look normal. It’s either one or the other. DoH is such traffic. If it looks abnormal, you can do something about it. If it doesn’t, you can’t.

Re: [DNSOP] extension of DoH to authoritative servers

David Conrad wrote on 2019-02-12 10:14: Paul, On Feb 12, 2019, at 8:32 AM, Paul Vixie > wrote: DoH is _dangerous_ because it's my network and i require all visitors, family members, employees, and apps to use the control plane i have constructed, which includes DNS

Re: [DNSOP] extension of DoH to authoritative servers

Paul, On Feb 12, 2019, at 8:32 AM, Paul Vixie wrote: > DoH is _dangerous_ because it's my network and i require all visitors, family > members, employees, and apps to use the control plane i have constructed, > which includes DNS surveillance and control. Why don’t you force folks on your

Re: [DNSOP] extension of DoH to authoritative servers

On 12 Feb 2019, at 12:22, Paul Wouters wrote: > On Tue, 12 Feb 2019, Paul Vixie wrote: > >> this is especially vital for IoT, whose makers will never be profitable >> other than from data they collect. > > I hope those makes will be unprofitable and close shop. > > IoT devices should be

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, 12 Feb 2019, Paul Vixie wrote: this is especially vital for IoT, whose makers will never be profitable other than from data they collect. I hope those makes will be unprofitable and close shop. IoT devices should be designed to be accessed through secure VPN or TLS connections,

Re: [DNSOP] extension of DoH to authoritative servers

Stephane Bortzmeyer wrote on 2019-02-12 00:39: On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuop...@cnnic.cn wrote a message of 546 lines which said: I am considering extending the DoH protocal to authoritative servers. Why DoH and not DoT? ... well, yes, but... DoH is useful

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 09:07:43AM -0500, Paul Wouters wrote a message of 23 lines which said: > This idea is similar to DNScurve. The problem is that channel > security does not help when you have an infrastructure of DNS > caches, Or when secondary name servers are not under the same

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, 12 Feb 2019, zuop...@cnnic.cn wrote: In this way, the whole DNS is built on HTTPS which makes DNS more secure. DNSSEC is not necessary anymore and many other problems like fragmentation also will not exist. This idea is similar to DNScurve.

Re: [DNSOP] extension of DoH to authoritative servers

Stephane Bortzmeyer: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuop...@cnnic.cn wrote > a message of 546 lines which said: > >> I am considering extending the DoH protocal to authoritative >> servers. > > Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked > at the edge

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuop...@cnnic.cn wrote a message of 546 lines which said: > the child zone publishes a TLSA record instead of a DS record in the > parent zone [RFC 6698 may need update]. The TLSA record contains the > certificate that identifies the child zone. The

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuop...@cnnic.cn wrote a message of 546 lines which said: > I am considering extending the DoH protocal to authoritative > servers. Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked at the edge of the network 2) applications

Re: [DNSOP] extension of DoH to authoritative servers

On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuop...@cnnic.cn wrote a message of 546 lines which said: > DNSSEC is not necessary anymore This is clearly false. DoH provides _channel security_ DNSSEC provides _content security_ (or object security). This is a very important difference in