Re: [Add] My principles for discovery

Ben Schwartz <> Wed, 25 March 2020 18:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 908AB3A09E1 for <>; Wed, 25 Mar 2020 11:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tdrtqrZSoOlt for <>; Wed, 25 Mar 2020 11:40:53 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 708393A09CE for <>; Wed, 25 Mar 2020 11:40:48 -0700 (PDT)
Received: by with SMTP id g62so4038021wme.1 for <>; Wed, 25 Mar 2020 11:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8IUfyipmKgGTTla88RrR1k/r3yh/P87/YVwhEO5E9Xs=; b=OtrcHrJIi5e+NLryYYiPInEuKvimMRb5lNCey4u9tcUml7Al8HlxyljRnAxeI9q41W 1ymLJc2orwSES8lkWv1enK/xkH1xcBK1hps1gSE5LqjiSfkcNHEvVIBFtrj85bQq7l0Y dRfkcZPbvgXcnP0Ab48RESfPOtXlV5u17B37xj5bwVjLD15aKcdVXtJwMUyLxLTDgiJA 7A0IMbvgsh9VVIKskXXgSN5Cmo1WCaPON/A0afM7lOJxb7idW5pI4whmi7KJaXPg8CCe tZCzv7hoTrN1aCNCVsCmbZqxeq2faP6ceAP9fSs6EirNns3O8QwdblnsYeQMnOog4Y8P anWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8IUfyipmKgGTTla88RrR1k/r3yh/P87/YVwhEO5E9Xs=; b=PDhawyzXzdxJ4up9VXyMPJIVBTcT/5ygWb0RgXRODMCAVj2gFlRtsDxalip7ER0Q+K 9lSuVl4MOLVt8A2bH/T8gHlRs5yqgdR8kpCxClncEn87tzq2rM2c3uOjzEi2D+g50u6V HZ6tmLKM3cnTCjsLpqQND4vMAeND2ezG2bnwqUpblg8BB/Osi7G1mhg7VaLF0ALVrp1x FwpVE+FSp+grpeBW0mGPy5gYZWquVeAECxFMrhZrIRt2STo+nhXbAXY2UiXgneA4IGJA /MlMQVDEHEzqD2kzauSFPMeCS3IfxW4sKOhnhWocCxgs3Pv+G3hUfH9n0MzH660PTSnM qEFw==
X-Gm-Message-State: ANhLgQ1GRTgal/SiV6XcebNoZ+b32X4rUhM3yEtz/I1jMCq2BA8syxbL +Jv76wZGnC2LuaoGfvfjae6RdFp7ADjZP6p/vpuQZA==
X-Google-Smtp-Source: ADFU+vvUiS7G267KhqX+cR6JW5Drob9IVu1W9IWMSwcL0ZbuE1dISTsEIhi1XogmBd5tFMYhIOc5q/eoqAKPjAn7LjA=
X-Received: by 2002:a1c:197:: with SMTP id 145mr4664436wmb.42.1585161645541; Wed, 25 Mar 2020 11:40:45 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Wed, 25 Mar 2020 14:40:33 -0400
Message-ID: <>
To: Vittorio Bertola <>
Cc: Martin Thomson <>, ADD Mailing list <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000d461ec05a1b23465"
Archived-At: <>
Subject: Re: [Add] My principles for discovery
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Mar 2020 18:40:59 -0000

On Wed, Mar 25, 2020 at 3:33 AM Vittorio Bertola <vittorio.bertola=> wrote:

> > Il 25/03/2020 05:36 Martin Thomson <> ha scritto:
> >
> >
> > As I raised this in the meeting, I think that it's only fair that I
> include what I think the principles should be.
> >
> > In short, I believe that any entity that you interact with should be
> able to present their views on what resolver you should use.  Client policy
> will then dictate which - if any - of those is used.
> I don't necessarily disagree with the approach, but there is a question to
> which I need a very convincing answer first.
> "Any entity you interact with" already has a way to tell you - even force
> you - to use a name server they control to effect resolution of their
> domain names. It's called "authoritative name server".
> It seems to me that the model that especially draft-pauly is proposing -
> i.e. every destination pointing the client to a resolver that the
> destination controls - is functionally equivalent, in terms of who gets to
> see which information, to eliminating the concept of an external resolver
> and having the end-user device implement and run a full resolver on its own.
> This, as per Tommy's reply to the question I made at IETF 106, would
> increase privacy because the resolution process would not provide data to
> any other party than the "final destination", which would anyway get it
> when the following HTTPS connection happens. (The fact that the two sets of
> data are actually the same has been challenged yesterday in the Jabber
> chat, but that's another discussion.)
> I assume that this is also what you are envisaging, since the alternative
> - every destination pointing the client to a resolver which they don't
> control, but with which they have commercial or other agreements - opens up
> the potential for much heavier security threat, centralization and
> surveillance scenarios than it is ever possible today, so I would expect it
> to be ruled out much like other out-of-same-origin practices.

I don't think this is a meaningful distinction.  Authoritative nameserver
operations are commonly outsourced and heavily consolidated today, just as
web hosting is commonly outsourced to large CDNs.  There's certainly no
"out-of-same-origin" rule that prevents using a CDN!

> So - why do we need to develop all this complex machinery just to let
> destinations indicate some kind of resolver that does the same thing that
> their authoritative already does? What's the difference with just
> implementing a full resolver in the client?

I actually agree, at least in part: as our proposals develop, we should try
to harmonize them with the work to encrypt recursive->authoritative DNS
queries.  Perhaps we will be able to build encrypted stub, recursive, and
hybrid resolvers from a small set of shared components.

> --
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> Office @ Via Treviso 12, 10144 Torino, Italy
> --
> Add mailing list