Re: [arch-d] IAB statement on "Avoiding Unintended Harm to Internet Infrastructure"

S Moonesamy <> Sun, 17 November 2019 10:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E059812007A for <>; Sun, 17 Nov 2019 02:49:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HDrin218gFjd for <>; Sun, 17 Nov 2019 02:49:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A139F120059 for <>; Sun, 17 Nov 2019 02:49:41 -0800 (PST)
Received: from ([]) (authenticated bits=0) by (8.15.2/8.14.5) with ESMTPSA id xAHAn6oI020749 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 Nov 2019 02:49:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1573987777; x=1574074177;; bh=EeWhzO1mWut5ZB9nyZvoSbSUzH9Sji7YEn4+dHgSOMY=; h=Date:To:From:Subject:In-Reply-To:References; b=dokXoXwAzBu4cZnd8XCdF/Qtm8iJBxuokR+NmRe7f74cq+aioQxqdH5sTvQuMEJ/D ct+T2jPuesR/AHjFQTMND/chjBLhdJW7ifeK+LOjl1z3GY2Jcc5FRQAOlmVwPATeKl J+QRjTx/T7odNhlLLJjpIvt6Li1dZDlY/+cM25LU=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Sun, 17 Nov 2019 02:48:19 -0800
To: Andrew Campling <>,
From: S Moonesamy <>
In-Reply-To: <LO2P265MB0573C0D8F8D9D7ECF4E472AFC2760@LO2P265MB0573.GBRP2 65.PROD.OUTLOOK.COM>
References: <LO2P265MB0573C0D8F8D9D7ECF4E472AFC2760@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: <>
Subject: Re: [arch-d] IAB statement on "Avoiding Unintended Harm to Internet Infrastructure"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 Nov 2019 10:49:43 -0000

At 10:53 PM 12-11-2019, Andrew Campling wrote:
>In the DNS section, it is disheartening to read the IAB stating that 
>"[a DNS resolver] returning the wrong (or no) address breaks the 
>trust that users have in this infrastructure", after having spent 
>months on the ADD list and elsewhere to explain that there are 
>indeed lots of use cases in which users expect, or even actively 
>request, that their resolver applies filters to the responses. In 
>some cases it is actually the opposite - if I acquire a DNS-based 
>service to prevent any accidental connection to malware-infected 
>websites and then I get malware, that's when I lose trust in my DNS 
>resolver; same for parental controls.

The position, in the past, was that it was important to preserve the 
chain of trust instead of allowing someone along the path to change 
the information published in DNS.  There are use cases where the 
changes are done for valid reasons, e.g. the user does not wish to 
download malware.  What are the unintended consequences of supporting 
such cases?

S, Moonesamy