Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <paul@redbarn.org> Mon, 20 August 2018 00:10 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12BF130E09 for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 17:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jI4jhRV2KBJJ for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 17:10:57 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E5B51277D2 for <dnsop@ietf.org>; Sun, 19 Aug 2018 17:10:57 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62] (unknown [IPv6:2001:559:8000:c9:1c6f:2fd8:8c7b:9a62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 2AEB6892C7; Mon, 20 Aug 2018 00:10:56 +0000 (UTC)
Message-ID: <5B7A070C.1040209@redbarn.org>
Date: Sun, 19 Aug 2018 17:10:52 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: manu tman <chantr4@gmail.com>
CC: Ted Lemon <mellon@fugue.com>, dnsop@ietf.org
References: <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com> <53074d98-a8ef-9127-edc7-d3e3188c2453@dougbarton.us> <CAPt1N1muo07jvDmyM+oL96Ow1RXGcsgVKX51S86CUcedirzvew@mail.gmail.com> <20180819.204841.532639858.sthaug@nethelp.no> <CAPt1N1nFW_h1i9cetKXm1isp9aUDKH73ZB+3trabFZd9NSDZkw@mail.gmail.com> <40510317-dadc-7d93-543a-7da71fafd288@dougbarton.us> <CAPt1N1kHHKwKiKsncK7QjHNPsCs5mCOzp_=1LO=Ci3HfQ9dw7Q@mail.gmail.com> <CAArYzrKTehNQ=4hS+QG_VuN-+x-aX6o2c88WgY4OrnhMa-xv9g@mail.gmail.com>
In-Reply-To: <CAArYzrKTehNQ=4hS+QG_VuN-+x-aX6o2c88WgY4OrnhMa-xv9g@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JWrFabgUWgNLgYUerbqHEjLqEb4>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 00:10:59 -0000

i think a good modern stub should have several settings that are missing 
in today's stable of internet endpoints.

"these are my preferred servers, even when dhcp tells me otherwise"

"if there's a tcp/853 trust path available, and it works, prefer it"

"if my preferred servers can't be reached i do/don't want to follow dhcp"

"if dhcp doesn't give me working servers, try these global ones instead"

the lack of these knobs today should not inform our debate as to whether 
to add dhcp elements to support tcp/853. rather, they are a separate 
problem -- just as dhcp authentication is a separate problem.