Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Joe Abley <> Mon, 20 August 2018 15:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73D25130FF0 for <>; Mon, 20 Aug 2018 08:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bnxeNh8Zz5uI for <>; Mon, 20 Aug 2018 08:41:22 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC7D5130FEB for <>; Mon, 20 Aug 2018 08:41:21 -0700 (PDT)
Received: by with SMTP id h8-v6so518827pgs.4 for <>; Mon, 20 Aug 2018 08:41:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=08W6rf24Icu/P+ixIA9bBAOfby0qYdpeXy6fUxvs1WQ=; b=DWmCQt/mTR53mqt2PnrcB0uCneP8OelFE7MBvSHDWDHzvJRM6CEsoOwxumbbizT3vk QIeU2VDXakc3ozSaqfDEDHneBgTyfZ2SBxvG/bpA54bOyt7UPls8Vt4dfxYobmKKlVUS 7yYZJkYAjjc6YqJ4SJoB+RBUnz2lMpVWHW+94=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=08W6rf24Icu/P+ixIA9bBAOfby0qYdpeXy6fUxvs1WQ=; b=ZKatJ08mFb5dS9wJsMk5kvapVCbrfEZ3oi/OYsmpwG4nKnQXdTFIzHxZ38EtdxK7Ph rpvn9FgxCgEdrfxYni5QAsf4JM+KxL5RD6T1Re+7U9knCLmWEmyYh/WIPVK+lCbFElve PHv1x7JwwjS4XTMCgFdi45tq9BRZThgovPY5kwtk2EbH+hh2tRcFvACZPbLL79z2vV6R TnKQDlPFSuErCP0wGnKYbi/TuORiBIHoQBT+gK81jrVxSYF+GKJPtm+ETWJRiXDMV0Sl iu0A044yJiIS951lAVO7Xn62LBiRAoKTiFeOlJ4NUba5JQHegYDjNN8D9of1ZMEg2U9m y4hQ==
X-Gm-Message-State: AOUpUlHGTHi5e9nGtjprVui9C3S4fpepHs7v8y8J5NXW8hwJrxADNvqD JR0z/CdMRAbWdMf6s+ZG3Qntnu+RFjI=
X-Google-Smtp-Source: AA+uWPwCqV5SGO3YRgLIb/tHtKcgQZx7T3/HuY0+GQ6le/QAnSjYVGeCM85dYXFDTu4hvdQuTgjjvQ==
X-Received: by 2002:a63:67c3:: with SMTP id b186-v6mr43815470pgc.5.1534779681190; Mon, 20 Aug 2018 08:41:21 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:e510:137d:bc64:7f84? ( [2607:f2c0:101:3:e510:137d:bc64:7f84]) by with ESMTPSA id 143-v6sm18189118pfy.156.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Aug 2018 08:41:19 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joe Abley <>
X-Mailer: iPad Mail (15G77)
In-Reply-To: <>
Date: Mon, 20 Aug 2018 11:41:16 -0400
Cc: Doug Barton <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <>
To: Vittorio Bertola <>
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 15:41:31 -0000

On Aug 20, 2018, at 07:48, Vittorio Bertola <> wrote:

>> Il 19 agosto 2018 alle 19.02 Doug Barton <> ha scritto:
>> And Jason, you missed a threat model, which is users who want to bypass their ISP's resolver.
> I think that there should be a lot more attention to this "use case" in this discussion. It seems to me that the designers of DoH have in their minds a romantic picture of the dissident in some authoritarian country trying to escape censorship and save her own life, so that being able to bypass the local ISP, obviously run by evil government cronies, would be a good thing. 
> However, in most of the world, the reality is that the biggest motivation for people to try bypassing the ISP's resolver is to access illegal Web content that has been filtered out at the DNS level, such as unauthorized gambling websites, illegal pornography, "free" football live streams (which are usually full of malware), etc. - not to mention bots trying to contact their command and control server without incurring into RPZ-based filtering.

These are the same use-case, just viewed with different bias.