Re: [DNSOP] my dnse vision

Olafur Gudmundsson <> Wed, 05 March 2014 12:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 570561A00A2 for <>; Wed, 5 Mar 2014 04:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id duBaWHGxh3Nn for <>; Wed, 5 Mar 2014 04:52:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 70FD41A0121 for <>; Wed, 5 Mar 2014 04:52:04 -0800 (PST)
Received: from localhost (localhost.localdomain []) by (SMTP Server) with ESMTP id 167251C0196; Wed, 5 Mar 2014 07:51:51 -0500 (EST)
X-Virus-Scanned: OK
Received: by (Authenticated sender: with ESMTPSA id 6C5E11C0543; Wed, 5 Mar 2014 07:51:50 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Olafur Gudmundsson <>
In-Reply-To: <>
Date: Wed, 5 Mar 2014 12:51:52 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Francis Dupont <>
X-Mailer: Apple Mail (2.1510)
Subject: Re: [DNSOP] my dnse vision
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Mar 2014 12:52:06 -0000

On Mar 5, 2014, at 11:07 AM, Francis Dupont <> wrote:

>> From discussions with Stephane Bortzmeyer and Mark Andrews...
> First I come back to the fact there are two different problems
> (aka divide and conquer):
> * stubs <-> resolver
> * resolver <-> auth servers
> I consider the first one to be already solved, cf. the Microsoft
> deployed solution which puts clients, local networks, the resolver
> (also the Microsoft Domain Server :-), in the same area and uses
> IPsec to protect it. You can do other ways but IMHO we can assume
> you don't need confidentiality with far or untrusted resolvers.
> Or with other words you don't need confidentiality with

I strongly disagree, my hotel list as one of the resolvers available on the 
network, the answers from the  there are nothing like the answers I get from on the IETF network. 
I NEED confidence that I'm talking to the real if the only way to get that is 
encryption then I support it. 

I'm not sure if Microsoft solution works when one attaches to new networks like the IETF network. 

The stub <--> recursive [validating] resolver 

is the one more important to protect as the that is where it is easier to lie. 

On the other one 
recursive resolver <--->  auth servers 
 I would prefer that before we start talking about encryption is we agree on 
label stripping by recursive resolvers as that minimizes the leak of information to 
root/tld servers.