On 12/02/2019 09:34, Stephane Bortzmeyer wrote:
> On Tue, Feb 12, 2019 at 03:56:04PM +0800,
> zuop...@cnnic.cn wrote
> a message of 546 lines which said:
>
>> DNSSEC is not necessary anymore
>
> This is clearly false. DoH provides _channel security_ DNSSEC provides
> _content security_ (or ob
> Il 12 febbraio 2019 alle 22.00 Ted Lemon ha scritto:
>
> What I am trying to point out is that the situation with DoH is a symptom of
> the problem you are not talking about, not the only instance of it.
> You seem to be asserting that DoH is special among all other misuses of port
> 443.
On 2/13/19 7:08 AM, zuop...@cnnic.cn wrote:
> i prefer DoH because it can identify a server we are talking to and
> the content is encrypted.
These two points are the same with DoT. (encryption and SNI)
___
DNSOP mailing list
DNSOP@ietf.org
https://ww
On Wed, Feb 13, 2019 at 02:08:19PM +0800,
zuop...@cnnic.cn wrote
a message of 58 lines which said:
> i prefer DoH because it can identify a server we are talking to and the
> content is encrypted.
To learn about DoT, I suggest you read RFC 7858.
_
On Wed, Feb 13, 2019 at 02:03:26PM +0800,
zuop...@cnnic.cn wrote
a message of 103 lines which said:
> that's ture. but in my view, if the trust chain is built, we can
> ensure a resolver(or a cache) is always talking to a identified
> server and the channel is always secure, then the content c
On Tue, Feb 12, 2019 at 10:14:19AM -0800,
David Conrad wrote
a message of 100 lines which said:
> Why don’t you force folks on your network to install a certificate
> that would allow you to inspect TCP/443 outbound traffic?
There are probably many connected things where this is not
possible.
On Tue, Feb 12, 2019 at 10:34:19AM -0800,
Paul Vixie wrote
a message of 15 lines which said:
> > How can you be sure folks on your network aren’t already tunneling
> > their evil deeds through HTTPS?
>
> netflow. such traffic _looks_ abnormal.
>
> the deliberate design premise of DoH is that
On Tue, Feb 12, 2019 at 01:48:36PM -0800,
Paul Vixie wrote
a message of 46 lines which said:
> increased for political reasons.
There is nothing wrong with political reasons. Mass surveillance is a
political problem (privacy). DNS lies by ISPs is a political problem
(network neutrality). It i
On Tue, Feb 12, 2019 at 02:18:39PM -0800,
Paul Vixie wrote
a message of 20 lines which said:
> > Right. So what’s to stop other malicious traffic from doing the
> > same thing?
>
> lack of an IETF-approved standard with planned implementation by a
> half dozen tech giants, means that other
On Tue, Feb 12, 2019 at 02:45:54PM -0800,
Paul Vixie wrote
a message of 21 lines which said:
> i remember a time when the IAB would have said "no" to an internet
> standard which mandated deliberate loss of control by network
> operators.
Giving the many attacks against network neutrality, it
On Tue, Feb 12, 2019 at 03:32:37PM -0800,
Paul Vixie wrote
a message of 75 lines which said:
> by putting that text in and leaving it in, this becomes a political
> project not a technical one.
Everything we do is political, the Internet itself is a political
project. Thinking that communicat
On Wed, Feb 13, 2019 at 02:26:40AM -0800,
internet-dra...@ietf.org wrote
a message of 47 lines which said:
> Title : Local Naming Protocol -- LNP (v.1.0)
> Author : Christian Schaller
> Filename: draft-schaller-dnsop-lnp-00.txt
You do not expla
On Feb 12, 2019, at 10:03 PM, zuop...@cnnic.cn wrote:
> that's ture. but in my view, if the trust chain is built, we can ensure a
> resolver(or a cache) is always talking to a identified server and the channel
> is always secure, then the content could not be tampered.
Your model of how the DNS
The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document: - 'Algorithm Implementation
Requirements and Usage Guidance for DNSSEC'
as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits final
commen
google, this is bogus as hell. my dhcp server gives you dns servers to
use. please don't make me route and answer 8.8.8.8 just to watch youtube.
[71] 2019-02-13 16:39:40.548137 [#68 vtnet0 4095] \
[24.104.150.186].56915 [8.8.8.8].53 \
dns QUERY,NOERROR,7357,rd \
1 lh3.g
Paul Vixie wrote:
> google, this is bogus as hell. my dhcp server gives you dns servers to use.
> please don't make me route and answer 8.8.8.8 just to watch youtube.
>
> > [71] 2019-02-13 16:39:40.548137 [#68 vtnet0 4095] \
> > [24.104.150.186].56915 [8.8.8.8].53 \
> > dns QUERY,
Robert Edmonds wrote on 2019-02-13 12:39:
(no, this device i've paid for, will NOT be allowed to send you any
information, other than what i personally approve, which will never include
DNS traffic. if you don't like that deal, buy it back from me and i'll find
some other video appliance that
> On Feb 13, 2019, at 4:14 PM, Paul Vixie wrote:
>
> no. they know exactly what they're doing, and it's not an accident. reporting
> it to their support team will waste their time and mine.
>
> however, i don't know yet whether they're ready to own their sh*t in public,
> or whether they'll
Couldn’t DoT also run over port 443 just like DOH -– similar to what’s been
proposed in this draft?:
https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On 2/13/19 10:45 PM, Henderson, Karl wrote:
>
> Couldn’t DoT also run over port 443 just like DOH -– similar to what’s
> been proposed in this
> draft?: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/
>
Technically you can run DoT on whatever port you like. I believe the
port num
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.
Title : Message Digest for DNS Zones
Authors : Duane Wessels
Piet Barber
The only change to this document since -05 is to note that ZONEMD has been
allocated RR type code 63 by IANA following an expert review back in December.
DW
> On Feb 13, 2019, at 1:51 PM, internet-dra...@ietf.org wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
I've been thinking a bit about some of the issues raised in the recent DoH
discussion.
What I am wondering about, is what the goals of different parties might be.
I am also wondering whether some available standards (or additions to some
of those standards) might be helpful.
Finding particular m
This discussion (and the other DoH ones) would probably be better handled
on the DoH mailing list -- https://www.ietf.org/mailman/listinfo/doh - so
that the DoH people are involved.
The DoH WG charter specifically says: "The working group will coordinate
with the DNSOP and INTAREA working groups
f
Hello,
A new draft about root data caching is proposed, which aims to solve the
similar problem presented in RFC7706 and gives the DNS administrator one more
option.
Thanks.
Jiankang Yao
-原始邮件-
发件人: internet-dra...@ietf.org
发送时间: 2019-02-14 08:13:44 (星期四)
收件人: "Jiankang Yao" ,
i think both DNSSEC and DoH(or DoT) can protect DNS data, the fundmental point
it to establish the trust chain and transit trust. Regarding the case"secondary
name servers mnaged by a different organisation", the servers can publish
several TLSAs to distingush them.
This idea is just a sketch m
On Thu, 14 Feb 2019, zuop...@cnnic.cn wrote:
This idea is just a sketch model and provides another option for DNS security
and privacy. Transiting trust is hard but may be accomplished in the future. T
he deployment of DNSSEC also takes a long time and is still in progress.
No. It simply wil
On 14 Feb 2019, at 06:36, zuop...@cnnic.cn wrote:
>
> i think both DNSSEC and DoH(or DoT) can protect DNS data
It depends on your definition of “protect”. For some threats/attacks, DoH or
DoT by themselves can’t protect DNS data - for instance a DoH or DoT server
that intentionally or accidenta
28 matches
Mail list logo
