Re: [DNSOP] Draft for dynamic discovery of secure resolvers

manu tman <> Sun, 19 August 2018 06:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12724130F7B for <>; Sat, 18 Aug 2018 23:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bXYSaa1vfkwU for <>; Sat, 18 Aug 2018 23:42:28 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D39A3130F47 for <>; Sat, 18 Aug 2018 23:42:27 -0700 (PDT)
Received: by with SMTP id e14-v6so16609784itf.1 for <>; Sat, 18 Aug 2018 23:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oYfAvBlIcFQblPzKP2DarPzmEmaSBuo6MXkYrtp8wvE=; b=AtQxu0GUlkXPmodaV3vc61PmpMVCodqu62DB5EE+bLclxErgvuIR2wJob30xAsDWQs c/25p+qPo31Jx9q6dsj7DYX8PaXUcKU1KpUz87Nu6kryNSH0DyCmHUNwqoMAuUOH6/h4 PpFEzFXyKMVenQxqSzpQgpfmtRgKh1BB1GtoUabdhyPGM3JVVeps878Uso26yCsFFFP/ erCaHhvqLhK2hxk8SbTa7sLZSYUPYuhiGx8dkQVtcEO2ui8zakGVCW2HW6C2DWqSQOiF 48ZjpodZOz3nPETleVtJPvjfapZQQ/u0ff1rjHP0KaN88lVjH5h7I7cxHaL5M0osCMc1 zw8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oYfAvBlIcFQblPzKP2DarPzmEmaSBuo6MXkYrtp8wvE=; b=E4WX/shp91f+zMSV2Whp+SXxJEJbx9HxV8fRrRuZbtsPufd8GY2Dbqh+KZM2lUXTTh UCJqL7ZPp5UM/4fTSJbG3NwOFHVdfZEaZ7ULJuM67xcJYZwelUW1n478DwRxNEQiseIA r26SyPnzSjzDD/wi0SDBPwN1Qd4VCNmo71reR01t3irkxoMhf0UUbivEzD76FU0eC/Qt 5iMNuv9Qj4EvzitsvGWPfvwNWcTdrKQ/bmi+YcIP1YLqJXFxau3lwTEzBMP1BRSuxknd lJ2IdPI87cXdCZ5VXCFHa3pNM72wTOxbWfXNyFeaxNSE47o1As/2aUM3IvWYeQ/kcAPJ /c8A==
X-Gm-Message-State: AOUpUlEIiOCTjSRBMm+7/HrrS0SmQi41XlR2SMhaiwgD7efj1K5jrFbP ugq5WmR9gPJidKeVTfZCf3swni4gRkLaBXpKUsZsF/I4
X-Google-Smtp-Source: AA+uWPw9bO5evXV6VW7gkRhTc38a5E/tPbiqg3pUd2h4iPYgvDnzqmcFVKaHfcMRYSIpXU+VWYSEa+xoUzrzQ/refEg=
X-Received: by 2002:a24:7f87:: with SMTP id r129-v6mr9372927itc.107.1534660946937; Sat, 18 Aug 2018 23:42:26 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: manu tman <>
Date: Sat, 18 Aug 2018 23:42:15 -0700
Message-ID: <>
Cc: dnsop <>
Content-Type: multipart/alternative; boundary="00000000000097cf6c0573c41846"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 06:42:30 -0000

I am going to focus back on the draft itself. While the discussion around
centralizing DNS to 3rd party vs local ISP (or any other alternatives) is
worth having, it is a fact that most people get their DNS server set using
the current state is that all you will get are addresses that you can use
to query DNS over port 53.

With the advent of recursive DNS servers that can support encryption, it
will be useful to signal that to stub resolver. Some ISPs may want to
provision their CPE to advertise DoT to their recursive resolvers with cert
pining. Other ISPs in regions that heavily offload their DNS to so X.X.X.X
provider, would be able to let their customer use the service from such
providers, but over an encrypted channel. "power users" may want to
configure their home router to publish a set of DNS servers to be used
using DoT or DoH.
This is definitely not a bullet proof solution, but it seems better than
what we currently have and with minimal protocol change (just adding an
The way I read this, the network owner that in the past would have made the
hosts in their network use unencrypted DNS, will now be able to easily
promote encrypted DNS.

As for feedback on the draft options.
- Section 2.3: Why DoH has no option data? The IP from the DNS recursive
name server option merely provide an IP to connect to. DoH server may have
a cert that will validate for a hostname. The endpoint may or may not be
/dns-query . How about alternate ports? It seems a having the URI as part
of the data would be useful ( e.g , , https://2001:DB8::1/doh ...)
- the draft as is, assumes that port 853 will be used for DoT, 443 for DoH.
Being able to provide alternate ports could be a plus
- It is not clear to me if the options apply to all nameservers from the
dns recursive nameserver option, or if there needs to be 1 option for each
nameserver. I could for instance have nameserver1 which does DoT + DoH
while nameserver2 does none. In this case, I would get option 147 with
option len of 2 for the first server, followed by option 147 with option
len of 0 for the second one.
- A DHCP option should be able to be set multiple time, so one can
configure TLS_SPKI with multiple values. May be useful for rotations and


On Sat, Aug 18, 2018 at 2:17 PM Marek Vavruša <mvavrusa=> wrote:

> Hi,
> this is a bit off topic, but I figured it would be useful to solicit
> some early feedback. The current status is that for secure (as in
> RFC7858 DoT or DoH) resolvers is that there's no discovery mechanism,
> and it's also out of scope for [0]. At the same time we're seeing real
> world deployment of clients which either:
> a) Probe port 853 and use DoT in opportunistic profile, or probe 443
> and trust WebPKI
> b) Statically configure ADN and/or SPKI pins with well known public
> resolvers
> This approach works if there's someone maintaining the statically
> configured information, as with the dnscrypt-proxy stamp lists [1].
> However in most networks the default resolver configuration is pushed
> through DHCP, so it's the network operator that's in charge for
> providing default DNS resolver configuration (unless the user is a DNS
> aficionado and overrides it), but there's currently no good way to
> provide information required to identify and securely bootstrap a
> connection to a resolver using DoT or DoH.
> This draft adds an option to provide a capability list for each
> configured resolver. The three defined capabilities are TLS with SPKI
> pin, TLS with ADN, HTTPS. The idea is that DHCP clients reads this
> information and stores it similarly to resolver list and domain search
> path for applications to read. Another possible solution for this is
> to use the system of stamps from dnscrypt-proxy, but it's probably
> less legible for clients and duplicates information that's already in
> the recursive DNS nameservers DHCPv4/v6 option.
> The draft does not change the trust model, an end-user or an
> application can still disregard DNS recursive nameserver list from
> DHCP, for better or worse.
> Here's the draft:
> Marek
> [0]:
> [1]:
> _______________________________________________
> DNSOP mailing list