Re: [Add] My principles for discovery

Daniel Migault <> Fri, 27 March 2020 00:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B23B3A0CAA for <>; Thu, 26 Mar 2020 17:10:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VV60x22plR1w for <>; Thu, 26 Mar 2020 17:10:02 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F9733A0CA0 for <>; Thu, 26 Mar 2020 17:10:01 -0700 (PDT)
Received: by with SMTP id 184so4381334vsu.3 for <>; Thu, 26 Mar 2020 17:10:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B1308q5WLSkGJ9mHbYJAHxbdN0mLEZ5tim1xk4I2xq8=; b=YzzOujiif7QSlzlavk1n0aPjTWsO2HVnTLNr+Zmn9ceIHRBcVtYyMgg2kMmD5XZHc4 ZL9A4GBA5J+xQm1RERGMlwItV4+Z6XxOp2QmjpxMnP/T3LFmC3/leSUJtfM5a3FcTNQs Qwo7NX9Scj3zH1/VWPCX7sf6lJ2dt8BsgGhUGaPRz7WaP2tTzA74tr39VKIcKkzlf+KG GFYVyWfI843BJxREK1LmHblO0B9zwpoLrLnpynCHkD2vIPyWCqOwJUpXRRJ+ciKmgnvo 0bPt/06/I+fpXsJiY9QpzilJ/VCSQkZ83a6J2exYH5afEmlqRqLdSNCMlIMzge37/w1d kr/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B1308q5WLSkGJ9mHbYJAHxbdN0mLEZ5tim1xk4I2xq8=; b=jCnVi1EWLzMJFvUKNi9QKJXM1pJuamvbuZXOZJqEerOWKfIqYKRhigGXRR2HTyDx7G T7hUiTEDR5AfstEe4B9yjLDA4N3oAweWlJ4X1mQAs5gso7Q47oRoqkCE4obCoO+bTy4B 5bpwNAo6qjdvtGDKjaevri+rusa760ywU2VV7q0MiEmrNIdVZALPeXLwLjs/KqRUliuC 2ilqGKkAsobI/Ise70WGZY7zHAYjkH4SZeQUJvOVPX/4HqnC+fKNUjdvqhkdeGs4DjGl tEMQbDTyykwNgRScmaAop6KAff+pYzKc2uLIUT8qsLm0HRAPD55Rr61I3o6WaOf89IIO 1cag==
X-Gm-Message-State: ANhLgQ0n3IboNOi9ZRcdaa9LNKcnTm1u0qxVat8gbcWSDz6yvUCXX99w IBXImUmAbmBfo91K8rh0GRciwPPdiTLT4oPlrDmf0Gha
X-Google-Smtp-Source: ADFU+vsZoiQ/D+KiJFEcVyCDePo4P4Jt/M/EV7GsfbBVIGf9c2pzJQWJyj5LeynodgrnZEsal6R8DXznDnzK8Qx1jRk=
X-Received: by 2002:a67:3141:: with SMTP id x62mr9152586vsx.31.1585267800388; Thu, 26 Mar 2020 17:10:00 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Daniel Migault <>
Date: Thu, 26 Mar 2020 20:09:48 -0400
Message-ID: <>
To: Martin Thomson <>
Cc: ADD Mailing list <>
Content-Type: multipart/alternative; boundary="0000000000001db7d905a1caec55"
Archived-At: <>
Subject: Re: [Add] My principles for discovery
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Mar 2020 00:10:05 -0000

On Wed, Mar 25, 2020 at 12:37 AM Martin Thomson <> wrote:

> As I raised this in the meeting, I think that it's only fair that I
> include what I think the principles should be.
> In short, I believe that any entity that you interact with should be able
> to present their views on what resolver you should use.  Client policy will
> then dictate which - if any - of those is used.  Authentication of the
> source of these opinions is likely a necessary input for the client policy
> decision.
> It is discussing client policy that has caused us to get into unproductive
> discussions.  To be clear, I regard the question of whether it is users or
> the software they choose to run that make policy decisions to be firmly
> part of this discussion.  We might variously lament the ability of software
> to properly reflect the wishes of users, but this is not the place to
> debate that.
>  <mglt>
I think I also agree. The policy should in theory be independent
from the application enforcing that policy. The problem is that a
formal definition of what such policy is likely to never be defined,
and as such a large part of it will be defined by the
application. For that reason, the policy is likely be represented
by the application itself. In other words, not everything is being
configured by the end user and we assume the application
reflects the end user policy. - this also suppose the end user
will have the choice between different applications.

That said, the policy enforced by the application may involve
some interaction of the end user during the selection process. I
also believe that some means may be provided so the application
may notify the end user of the resulting selection.

 That doesn't mean that you should expect the person serving you sausages
> at a local deli to offer an opinion on what resolver you should use.  But
> we should look to provide ways in which entities that have some relevant
> stake to make their opinion known.  As a provider of application software
> that might be interested in having its own policies, I might expect to
> receive opinions from the following places:
> * The networks that endpoints connect to.
> * DNS servers that might be involved in answering queries.
> * Other communication endpoints, such as sites or enterprise services, and
> their representatives, such as CDNs or corporate IT.
>  <mglt>
The end user may have a say in the selection process.  I agree
that interaction with the end user should be limited and that
such interaction is up to the application performing the
selection. It thus sounds to me that some election parameter
should be designed to be presented to the end user. I also do not
think we should go much further than a UTF8 string.
The scenarios I would envision is that a list of resolvers is
proposed to the end user. Another thing is that when one resolver
is chosen or changed, the end user may be notified of that
change or selection.

I am unsure I clearly get the third bullet. I understand it
includes things such as:
* some configuration parameters to perform some resolutions over
* a specific resolver a web site to advertise a preferred
* resolver.
> These next three might not depend on a protocol that we define here, but
> we can still recognize that there might be other entities involved in
> expressing opinions and - for these - even setting policy:
> * The operating system configuration.
> * Various "owners" or stakeholders for the endpoint, such as an employer
> or a government (this might not extend all the way to full control of the
> device MDM-style, but it might still be relevant to the client policy).
> * Application configuration.
I would see those entities as being able to configure/provide
information to the application that proceed to the selection.

> I don't personally see a lot of value in having entities other than those
> from the first set of three stand on soapboxes to broadcast their opinions
> about resolver choice, but there is nothing fundamentally wrong with having
> other sources of opinions.  So while the IETF could provide more protocols,
> it's not a good use of our time and resources unless we expect that the
> information would be acceptable to genuine client policies.
> When it comes to setting policy, authentication is important.  When making
> a decision about whether to use a particular resolver, depending on the
> policy you have, it might be important that you know whose opinion is
> guiding the decision.  If you want a server that doesn't store logs of
> queries for longer than a certain time, then I'm not aware of a technical
> mechanism for verifying that claim.  You likely have to rely on the
> assertions of an entity you trust.  Opinions received over the delicatessen
> counter are unlikely to carry any particular weight.
>  <mglt>
I believe the end user may decide to trust the delicateness
counter more than other ways. Think of an IETF meeting happening
nearby the deli. I am not convinced it is an easy problem to
select what the end user trust.

 It was good to see both Tommy and Dan address this question directly;
> though I'm not sure I totally agree that the right trust anchors were used,
> building in ways to authenticate an opinion makes it more likely that
> client policy will allow use of the indicated resolver.
> I think that the need to be flexible about authenticity derives largely
> from the desire to allow networks to have an opinion.  I know of no way to
> authenticate the output of DHCP or a RA, except to say that this is most
> likely the provider of the network who is speaking.  That's very weak
> authentication, so while it carries some weight, it's not a lot.
>  <mglt>
I think RFC3971 and RFC3118 are at least an attempt to provide
authentication. I am unaware of large deployment of these
mechanisms. DHCP / RA may provide  an IP address without
authentication, but this could be used as an hint to retrieved
authenticated information. If DHCP/RA is being spoofed, this may
end up in the resolver you connect NOT being the one proposed by
the ISP, but at least upon the selection you can trust who you
are connected to.

>  So, I would suggest that the best we can hope for from this WG is a set
> of mechanisms that report on resolver options/opinions and some associated
> information that includes who provided the option/opinion and how.
>  <mglt>
I agree.

> Martin
> p.s., Regarding work on the table, I think that it is clear what the
> models are driving draft-btw-add-home, draft-peterson-do[th]-dhcp, and
> draft-pauly-dprive-adaptive-dns-privacy.  I struggle a little with
> draft-mglt-add-rdp in this regard and I would appreciate a little more
> clarity about intent.

I am happy to clarify anything that does not appear to be clear.

The intent is (limited) to enable the discovery resolving services
All resolving services provided by are listed under and selection parameters are provided through SVCB RRsets.

Since you need to start the discovery, we define a repo that
contains resolving domain the dns client may consider for global resolver.
also define a possible way to derive the resolving domain from the local
resolver advertised by the DHCP RA.

Other ways may be defined to communicate resolving domains (DHCP
for example)

Currently the resolving domain take part of the selection by only providing
preference on the resolving service.

Since DNS is used to carry this information it may be requested by a dns
or eventually provided as additional data by a resolver the dns client
interacts with.


> It is possible that draft-reddy-add-server-policy-selection is firmly in
> the authentication space, but it seems to be more firmly aimed at
> communicating policy than I am currently comfortable with right now.
> --
> Add mailing list

Daniel Migault