Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Vittorio Bertola <> Tue, 21 August 2018 15:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8140B130DDB for <>; Tue, 21 Aug 2018 08:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TmJtkFMkExqY for <>; Tue, 21 Aug 2018 08:23:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41C5A130F25 for <>; Tue, 21 Aug 2018 08:23:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 931C26A377; Tue, 21 Aug 2018 17:23:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201705; t=1534865022; bh=MeJnyM2r4F+GQOYVPuQtZIcK12WbeQbYJT9uaosXiM8=; h=Date:From:To:In-Reply-To:References:Subject:From; b=qZ+Y6JcfNslo4bMFrqH/JLU9Xn3y+FtgbTAS76XRicEZjJfCkl6/dssGnchOfPDkr /nBm2FV7BgjVYjzz5ibeq011q6ZLfMkQoQ7IWzeXFWjFZdeGxiwYV8nyQtMXwN2OM9 uim23Wmq3BjILgzBVFexpHcjKhVOWvegKRVPi65FLqmbztcroNPGtk0MstwL8xFJlz 5xdTUYn2lmSmEJVkWlI5bbXoBqfLYp8ovt25FRRfVl24aDCwi1s4TF4gFpHT+ZGt9q w+TDCOJs0UQXcWkxbYIAiMjx0mmyhcQ3rRaVKb85l//RGgGWpyCaS2QxfTB6HzsV2X rtnBYF22XJH1A==
Received: from null ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 703603C095E; Tue, 21 Aug 2018 17:23:42 +0200 (CEST)
Date: Tue, 21 Aug 2018 17:23:42 +0200
From: Vittorio Bertola <>
To: Philip Homburg <>,
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.0-Rev11
X-Originating-Client: open-xchange-appsuite
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 15:23:49 -0000

> Il 21 agosto 2018 alle 16.47 Philip Homburg <> ha scritto:
> > If I got it well, what you are trying to bypass is your ISP's
> > security filter that prevents you from connecting to malware or to
> > illegal content (e.g. intellectual property violations and the
> > likes). 
> As a user, I think there is little reason to trust an ISP.
> If you take a mobile device, do you trust every hotel, bar, etc. where you
> may connect to the wifi? Are they all competent? Are you sure none of them will
> violate your privacy?

Sure, roaming at hotels and cafes is a good use case for encrypted DNS, though for many people it is not the typical Internet access situation (not everyone travels to conferences all the time). Most people here in Europe either access the Internet at home or at work through DSL or fiber, or access it on their mobile phone using the mobile operator's data network. In fact, roaming wi-fi connections, while still relevant (especially for international tourists), are getting less and less used, since everyone now gets several gigabytes of EU-wide mobile data per month included with their base mobile fee.

Still, I'm all in favour of encrypting and authenticating DNS connections when you are in that situation. However, this should not be done in a way that breaks many other use cases.

> If you have only a few ISPs to chose from, do you trust that ISP?

How many browsers can I choose from? Definitely many less than the possible ISPs, and not a single one from the jurisdiction I live in.
> There are many ISPs that try to do the right thing for their customers.
> There are quite a few ISPs that have court orders to do things that go against the interests of their customers.

Yes, but that's the law. I still don't get how is it possible that the IETF is releasing a technology openly designed to allow people to break the law. In my part of the world, this is ethically unacceptable, and possibly also illegal.

> And the are quite a few ISPs that are positively evil.
> You need to have options in case you can't trust the ISP.

Why would you ever use an ISP that you don't trust and that is positively evil?

> > build a sort of "nuclear bomb" protocol
> > that, if widely adopted, will destroy most of the existing practices
> > in the DNS "ecosystem" 
> There is no reason why DoH has to be deployed as a 'nuclear bomb'.

Ok, this is the real issue. There is no reason why, but this is how it is being deployed, starting with Mozilla. And I have yet to see a statement from the DoH community that Mozilla's idea of making DoH the default and disregarding whatever resolver is being configured in the system via DHCP is not a good one. Actually, during the discussions in Montreal there were people talking about centralized DNS operators paying the browser makers to get their DNS traffic, and then monetizing it to get back the money. How can this be presented as "more privacy" is baffling.

Perhaps what we are missing is just a set of policy guidelines on how DoH should be deployed by operators and application developers, though I do not know how you could then enforce them.

> Hosts can still default to using the resolvers offered by DHCP only switching
> to public resolvers when directed by the user.

No, they can't, if the application defaults to its own resolvers, possibly not even letting the user choose different resolvers unless they click into three-level-deep configuration menus.

> The big difference is that when the user does decide to bypass the ISP's
> resolvers, there will be no way for the ISP to interfere.

Good luck explaining that to several hundred governments that rely on mandatory DNS filters to enforce gambling, hate speech and pornography regulation.


Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
Office @ Via Treviso 12, 10144 Torino, Italy