Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Ebersman <> Sun, 19 August 2018 20:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 26E01130DD4 for <>; Sun, 19 Aug 2018 13:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v-LDuilFA3Qb for <>; Sun, 19 Aug 2018 13:04:32 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:3:36::235]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4F4AE130DE4 for <>; Sun, 19 Aug 2018 13:04:32 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 284703740090; Sun, 19 Aug 2018 13:04:31 -0700 (PDT)
Received: by (Postfix, from userid 501) id EF22CACBD58; Sun, 19 Aug 2018 14:04:30 -0600 (MDT)
Received: from fafnir.local (localhost []) by (Postfix) with ESMTP id EB2FEACBD57; Sun, 19 Aug 2018 14:04:30 -0600 (MDT)
From: Paul Ebersman <>
To: Ted Lemon <>
cc: dnsop WG <>
In-reply-to: <>
References: <> <> <> <> <>
Comments: In-reply-to Ted Lemon <> message dated "Sun, 19 Aug 2018 15:28:30 -0400."
X-Mailer: MH-E 7.4.2; nmh 1.7.1; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <40562.1534709070.1@fafnir.local>
Date: Sun, 19 Aug 2018 14:04:30 -0600
Message-Id: <>
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Aug 2018 20:04:34 -0000

mellon> Think about DHCP providing an SMTP server address. Does that
mellon> make sense?

That doesn't. But DHCP already hands out DNS servers. You are already
trusting the DHCP server to give you default gateway and DNS server (or
you are choosing not to use DHCP).

Take the use case of coffee house or wireless hotspot. I think that it
would be an improvement of privacy to not allow anyone there to sniff
DNS packets because the owner of the network uses DOH for their
recursive resolver. I'm already trusting the network for default gateway
and most users would trust the DNS servers handed via DHCP. So no huge
new leap of trust and improved privacy. Seems like a win.

Why not allow network operators that option via a new DHCP option? You
don't have to use it but it would be a good choice for some.