sorry, because of my english level, i misused the word "protect". i know the difference between channel security and object security. but in my proposal, the premise is the recursive server should completely trust an Authenticated server. i think this is simialr in DNSSEC, because if an DNSSEC_enabled authotative server(no matter it is Alice or Bob) is evil and modifies DNS records, it will succeed because it has private key and can fake anything.
zuop...@cnnic.cn From: Stephane Bortzmeyer Date: 2019-02-14 16:33 To: zuop...@cnnic.cn CC: dnsop; Paul Wouters Subject: Re: [DNSOP] extension of DoH to authoritative servers On Thu, Feb 14, 2019 at 02:36:14PM +0800, zuop...@cnnic.cn <zuop...@cnnic.cn> wrote a message of 86 lines which said: > i think both DNSSEC and DoH(or DoT) can protect DNS data, "Protect" is like "security", a word so vague, which includes so many different (and sometimes contradictory) services that it is not very useful. Writing "both DNSSEC and DoH(or DoT) can protect DNS data" seems to imply that you did not think enough about the difference between channel security and object security. This is really the weakest point in your argumentation. (Yes, djb always make the same mistake but he is a famous cryptographer so people forget and forgive about his mistakes.) > the fundmental point it to establish the trust chain and transit > trust. No. The entire point of DNSSEC is that you do not need to trust the many servers that are between the validator and the origin. > Regarding the case"secondary name servers mnaged by a different > organisation", the servers can publish several TLSAs to distingush > them. I'm afraid you did not understand. Let me explain with concrete examples. Suppose organisation Alice subcontracts a secondary name server to organisation Bob (a very common use case). 1) What is Bob is evil and modify DNS records? 2) What is Bob is sloppy in security and its servers are cracked and the attacker modify DNS records? DNSSEC protects against both. DoT and DoH does not protect against these issues. > This idea is just a sketch model The problem is that there are many sketch models floating around and few serious proposals (and even less implemented and analyzed proposals). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop