Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Ted Lemon <> Tue, 21 August 2018 16:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E533130DC3 for <>; Tue, 21 Aug 2018 09:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wJugy6O-emJH for <>; Tue, 21 Aug 2018 09:09:57 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8C611271FF for <>; Tue, 21 Aug 2018 09:09:56 -0700 (PDT)
Received: by with SMTP id s7-v6so4852922itb.4 for <>; Tue, 21 Aug 2018 09:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hZVAHY6mpayvW6amTjwt0U3pZsOgsWtq5gKXeIWzyis=; b=yVVbyxb1lAIbQ0xlmf5IB2dWoBWoDhjbFnL+TFg6Ta9BWLzJ/WbBh5/o1gtRIgwvma 8LO8QS6UvD2uIQWcmrjciT+lQ2bw8G6JQtczHTJqS87Q/wgZ9+VmyaBHk/4KeX2ye8VO LUSTZeEHvThday/n6bltMQeqg/6ZoGST/aUl2Hx6WgPh+5Of8ewActdO3amNMnWOmb4V Gqdjts2TcwV+2J0yF/bHKILskMuhmNx6ddrw6J5wbtIP9tU88F6F4AVqO4slrBBvZFMJ Ub9aN2gp+3f6khZCKhqU7mLARa13DCDtg4mhEUaLShKH8x3GiOB9y11N796D5Kiuiqlo PBHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hZVAHY6mpayvW6amTjwt0U3pZsOgsWtq5gKXeIWzyis=; b=g97bjJ/4jkhREychZWvcbrKERxpIdCAmF2bbhI+R/gC3EHIjlFBQPnuFotqt0ubrvv 1cd0PYzsYHGvyQZbXh2jCzhynhOOT9rPPkm/AlbeTElkSjRmv7GqqNuIKziBJgrrHEXz rnSyRm0G9ISfx0+cYlbuDlXoBV7L6FnyQIEM3xfVUrBgQDZ8tqFzp5DH2+UExKw9y6Cy 6IHfaCkCAi/IeZXWdx4GabUl+HNkvW1vFTKq3iOexYTwSjnrntKij8xMkuIi1AnHjHya Mx15s65YiDaHyCqOL4EdBDlsB4HTjRJVWzgs9JxXkZZicFFVI4Gb78LdwRdAxNYSaqUI rlGg==
X-Gm-Message-State: APzg51BSngJ4SiR/u07r2eWOklfrq5PshdN7goMGy4JenhH1zNDvCs7u 43bQJmgJ1W7wlAiVZABF7bIlSN2BYcHUDYWzvRgrs34L
X-Google-Smtp-Source: ANB0VdY3AKbSi2CClGtEs/YmQtKThL/grbzzPCcsZeH8VIXIbcKLN9T22IkJh9BtefvwEtXsdY7o0PZ3QekzagFhtUY=
X-Received: by 2002:a24:374d:: with SMTP id r74-v6mr2345itr.57.1534867795908; Tue, 21 Aug 2018 09:09:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 09:09:15 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Ted Lemon <>
Date: Tue, 21 Aug 2018 12:09:15 -0400
Message-ID: <>
To: Vittorio Bertola <>
Cc: Philip Homburg <>, dnsop WG <>
Content-Type: multipart/alternative; boundary="000000000000c0ce660573f4416d"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 16:10:02 -0000

On Tue, Aug 21, 2018 at 11:23 AM, Vittorio Bertola <> wrote:

> Still, I'm all in favour of encrypting and authenticating DNS connections
> when you are in that situation. However, this should not be done in a way
> that breaks many other use cases.

How do we know when we are in that situation and not in some other
situation?   I think this is a solvable problem, but we have to say what
the solution is.   That's what I've been advocating for here.

Yes, but that's the law. I still don't get how is it possible that the IETF
> is releasing a technology openly designed to allow people to break the law.
> In my part of the world, this is ethically unacceptable, and possibly also
> illegal.

It's illegal in some countries for women to drive.   Should we stop making
cars?   Is it ethically unacceptable to make cars because women might use
them to violate this law in jurisdictions where it exists?

Why would you ever use an ISP that you don't trust and that is positively
> evil?

There is often no alternative.

> Ok, this is the real issue. There is no reason why, but this is how it is
> being deployed, starting with Mozilla. And I have yet to see a statement
> from the DoH community that Mozilla's idea of making DoH the default and
> disregarding whatever resolver is being configured in the system via DHCP
> is not a good one. Actually, during the discussions in Montreal there were
> people talking about centralized DNS operators paying the browser makers to
> get their DNS traffic, and then monetizing it to get back the money. How
> can this be presented as "more privacy" is baffling.

The DoH community does not have consensus on this, so it can't make a
statement about it.

> Perhaps what we are missing is just a set of policy guidelines on how DoH
> should be deployed by operators and application developers, though I do not
> know how you could then enforce them.

We can't write a set of policy guidelines.   That's an issue that will vary
by jurisdiction.   What we can do is document the threat model, document
the use cases, and talk about how to address them.